Stream: smart
Topic: Expected Return is Scope violation
Angus Millar (Jun 22 2018 at 10:19):
If the request's scopes result in the request being denyed, what is the expected return? Is it a 403 Forbidden and should we return an OperationOutcome explaining why?
Josh Mandel (Jun 22 2018 at 10:34):
Those options are not exclusive. You can include a response body with explanations but we did not mandate anything in that regard.
Jenni Syed (Jun 22 2018 at 15:47):
@Angus Millar Is the denial happening in the authorization process?
Jenni Syed (Jun 22 2018 at 15:48):
If so, it would follow OAuth 2 RFC: https://tools.ietf.org/html/rfc6749#section-4.1.2
Jenni Syed (Jun 22 2018 at 15:53):
If it's the resource server, you could also return error codes in the header (As Josh mentions, this is optional, and not called out as required by SMART either): https://tools.ietf.org/html/rfc6750#section-3.1 (and you could include operationOutcomes in the body as well
Angus Millar (Jun 23 2018 at 02:56):
@Angus Millar Is the denial happening in the authorization process?
No happening at scope validation, Thanks for the succinct references Jenni.
Looks like I need to add a Http header WWW-Authenticate: Bearer realm="Access to the development area", error="insufficient_scope" and I will include an OperationOutcome in the body, by choice.
Last updated: Apr 12 2022 at 19:14 UTC
