Stream: implementers
Topic: HTTP code 400 or 401
Yunwei Wang (Feb 27 2020 at 19:43):
Server request client to send bearer token. If client does not send bearer token, what would be the server's response? 400 or 401. I thought it would be 401 (unauthorized) but I don't any reference in OAuth2 or FHIR Security.
Josh Mandel (Feb 27 2020 at 20:12):
There's advice at https://tools.ietf.org/html/rfc6750#section-3 -- it's here because it's (supposedly) advice about how to use bearer tokens in OAuth 2, rather than generic advice about OAuth 2 usage.
Josh Mandel (Feb 27 2020 at 20:13):
But the only mention of specific response codes is an example:
If the request lacks any authentication information (e.g., the client
was unaware that authentication is necessary or attempted using an
unsupported authentication method), the resource server SHOULD NOT
include an error code or other error information.
For example:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example"
Josh Mandel (Feb 27 2020 at 20:14):
The only strong advice is:
If the protected resource request does not include authentication credentials or does not contain an access token that enables access to the protected resource, the resource server MUST include the HTTP "WWW-Authenticate" response header field; it MAY include it in response to other conditions as well.
John Moehrke (Feb 27 2020 at 22:04):
WHY are we discussing the same issue in many places.??? http://build.fhir.org/security.html#AccessDenied
Yunwei Wang (Feb 28 2020 at 00:00):
Sorry my fault. They are slightly different questions. Let's move to the one in argonaut.
Last updated: Apr 12 2022 at 19:14 UTC
