BUG - Change expired http status code from 403 to 401 #667
Labels
breaking-change
Changes to the code might result in breaking-changes
bug
Something isn't working
low
Low priority to be worked on.
As per oauth spec:
https://tools.ietf.org/html/rfc6750#section-3.1
expired tokens are considered "invalid tokens" which are a 401 error
"insufficent scope" are 403 errors
This is a breaking change since the expected error is changing. Not high priority, since a 400-level error is thrown. Its just not the right type.
This applies to the JWT tests for expired aswell
The text was updated successfully, but these errors were encountered: