Reputation: 828
OAuth 2.0 Password Expiry when Obtaining an Access Token
I am writing an API that uses the OAuth 2.0 password flow to authenticate users. When a request for an access token is denied, there does not seem to be any way for a client to tell whether the password was incorrect, or expired. From the spec, an error code of invalid_grant should be returned in both cases:
invalid_grant: The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
Is it acceptable to use the error_description on the response to state that the password has expired so that the client can take the necessary action, and if not, what is the standard approach for handling password expiry with OAuth?
Upvotes: 1
Views: 1218
Answers (1)
Reputation: 10986
"Leaking" that the reason for such a failure such as "password was incorrect, or expired" is NOT a best practice for authentication.
I would suggest that the "server" log the reason for the failure and NOT return the information to the requestor.
Upvotes: 0
Related Questions
- Do OAuth2 access tokens for a mobile app have to expire?
- Google access token expiration time
- Should we wait till the access token expire before we get refresh token?
- What is the issue for long lived access tokens from the password grant?
- How to check whether the access token is expired or not?
- How to expire a access token in ouath2
- Spring OAUTH2 - Access token expiry time
- Oauth 2.0 refresh token expiration
- [OAuth2 authorization server]refresh token's expire time need different with access token?
- oauth2 access token expire