0
votes

Supposed that the OpenID Connect implicit flow is mainly used by single-page applications (SPA), probably the first access to the backend/API is done by using an AJAX call, not by loading the SPA itself.

Now, if the API detects that the request is being sent without a token, how should it respond?

IMHO it does not make too much sense to respond with a redirect, because this would only cause the AJAX request to be redirected, not the entire browser window (which is necessary).

So, is responding with a 401 fine? Or is there another (better) way of what to do? Supposed that a 401 is fine, should the server somehow indicate which identity provider to use, or is this completely up to the client, and the backend assumes the client to know which identity provider it trusts?

1

1 Answers

1
votes

The RFC6749 does not indicate how the response should be designed.

However, as the client expects an API response, your resource server should send an API response with appropriate HTTP code and response body.

If the resource server rejects the request because the token epired or is invalid, the response code should be 400. If the access token has not been issued with the reauired scope or if the resource owner has no right regarding the resource, then the code should be 403. If no token is found, the code should be 401.

The body may be similar to the error responses described in the specification:

HTTP/1.1 403 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
    "error":"insufficient_scope",
    "error_description":"The scope 'WRITE' is required.",
    "error_uri":"https%3A%2F%2Fwww.example.com%2Fdoc%2Ferror403%2Finsufficient_scope"
}

Concerning the way to indicate which IdP to use, I know that a specification is being written, but at the moment it is up to you to indicate how clients should interact with your resource server (e.g. documentation).