You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"message": "Authentication method not supported.",
"http": 403,
"tags": [
"Account Management"
]
},
"TokenInvalid": {
"description": null,
"message": "Authorization token has expired or is invalid. Please authenticate again.",
"http": 403,
"tags": [
"Account Management"
]
},
"CredentialsInvalid": {
"description": null,
"message": "Credentials are not correct.",
"http": 403,
While discussing some auth related integrations, @JanssenBrm noted that 401 (Unauthorized) is actually more correct for these error situations:
from RFC 9110:
The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource.
The 403 (Forbidden) status code indicates that the server understood the request but refuses to fulfill it. ... If authentication credentials were provided in the request, the server considers them insufficient to grant access.
So 403 means that the provided credentials were correctly parsed and the users is fully authenticated, but additional access rules deny permission.
And 401 means that there is something wrong with the provided credentials, failing authentication.
The text was updated successfully, but these errors were encountered:
soxofaan
changed the title
HTTP status code of AuthenticationSchemeInvalid/TokenInvalid/CredentialsInvalid
HTTP status code 401 for AuthenticationSchemeInvalid/TokenInvalid/CredentialsInvalid
Nov 21, 2023
Yeah, AuthenticationSchemeInvalid should probably be 401, TokenInvalid is debatable and both fit according to the quote, CredentialsInvalid is clearly 403 to me.
TokenInvalid is debatable and both fit according to the quote
TokenInvalid (with message "Authorization token has expired or is invalid") only fits "401 ... lacks valid authentication credentials" in my understanding
CredentialsInvalid is clearly 403 to me.
I think I understand what you mean, but the current error code and message troubles that understanding I guess:
CredentialsInvalid: Credentials are not correct
you can easily interpret this as unparsable/expired tokens.
However "403 Forbidden" considers the the provided tokens as valid, but the associated permissions are insufficient. I think it makes sense to clarify this a bit in the error message (changing the error code is probably too much of a change), e.g.
The provided credentials do not give access to the requested resource
AuthenticationSchemeInvalid/TokenInvalid/CredentialsInvalid are currently associated with HTTP status code
403 (Forbidden)
:openeo-api/errors.json
Lines 360 to 379 in c5a45b4
While discussing some auth related integrations, @JanssenBrm noted that
401 (Unauthorized)
is actually more correct for these error situations:from RFC 9110:
So 403 means that the provided credentials were correctly parsed and the users is fully authenticated, but additional access rules deny permission.
And 401 means that there is something wrong with the provided credentials, failing authentication.
The text was updated successfully, but these errors were encountered: