Reputation: 3495
HTTP status if re-authentication is required
Which status code would you use in this scenario, assuming you're using a token based authentication:
- The client has a token and makes a request to the server.
- The token expired and the server sends a 401 Unauthorized.
- The client sends the refresh token.
- The token is invalid and the server responds with XXX?
The use case would be an application, that automatically catches 401's and makes a request with the refresh token. If the server would respond with a 401 if this token is not valid, the client would try to request a new access token with the refresh token forever. But it should tell the client, that it should re-authenticate with its credentials (e.g. email and password).
I was just wondering which status code would be the best fit in this scenario, as the spec says in case of a 403 Forbidden "authorization will not help".
Upvotes: 3
Views: 1420
Answers (1)
Reputation: 6726
I would not make access and refresh tokens interchangeable: Use Access-Tokens to access protected resources and use Refresh-Token to fetch new Access-Token from a special end-point. OpenID Connect works this way.
You would have one HTTP request more but HTTP codes would not be a problem and, in my opinion, you would get a cleaner code.
Upvotes: 1
Related Questions
- What HTTP code should I use for a third party authentication failure?
- What HTTP status code return when user needs to be UNAUTHORIZED to access page
- Appropriate HTTP status for redirecting to authentication in a REST api
- Correct return status code for authentication issues?
- Correct http status code for resource which requires authorization
- HTTP Status Code for Authenticated but Unauthorized?
- HTTP Status for "already logged in"
- Alternative to HTTP Status Code 401?
- HTTP status code for missing authentication
- REST http status code for content that needs authentication?