HTTP status if re-authentication is required

1
votes

Which status code would you use in this scenario, assuming you're using a token based authentication:

  1. The client has a token and makes a request to the server.
  2. The token expired and the server sends a 401 Unauthorized.
  3. The client sends the refresh token.
  4. The token is invalid and the server responds with XXX?

The use case would be an application, that automatically catches 401's and makes a request with the refresh token. If the server would respond with a 401 if this token is not valid, the client would try to request a new access token with the refresh token forever. But it should tell the client, that it should re-authenticate with its credentials (e.g. email and password).

I was just wondering which status code would be the best fit in this scenario, as the spec says in case of a 403 Forbidden "authorization will not help".

1
httpauthenticationaccess-tokenhttp-status-codeshttp-status-code-401

1 Answers

1
votes

I would not make access and refresh tokens interchangeable: Use Access-Tokens to access protected resources and use Refresh-Token to fetch new Access-Token from a special end-point. OpenID Connect works this way.

You would have one HTTP request more but HTTP codes would not be a problem and, in my opinion, you would get a cleaner code.