diff options
| author | Jonathan Huot <jonathan.huot@thomsonreuters.com> | 2018-12-04 16:08:13 +0100 |
|---|---|---|
| committer | Jonathan Huot <jonathan.huot@thomsonreuters.com> | 2018-12-04 16:08:13 +0100 |
| commit | ffa87c7ec828e5c0a7c68a2197030f20b15ec621 (patch) | |
| tree | b3e8333ee50b9348adce4d2782e0e6889808f96c /oauthlib/oauth2/rfc6749/endpoints | |
| parent | 51c927b0641adcef6e5944c9a67ba1d7edc2eb68 (diff) | |
| download | oauthlib-ffa87c7ec828e5c0a7c68a2197030f20b15ec621.tar.gz | |
Handle 401 with WWW-Authenticate. Moved wrong 401 into 400.
access_denied/unauthorized_client/consent_required/login_required MUST be 400, and not 401. Also, 401 MUST have WWW-Authenticate when set. It could have an impact of processing those in webframeworks.
Diffstat (limited to 'oauthlib/oauth2/rfc6749/endpoints')
| -rw-r--r-- | oauthlib/oauth2/rfc6749/endpoints/introspect.py | 2 | ||||
| -rw-r--r-- | oauthlib/oauth2/rfc6749/endpoints/revocation.py | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/oauthlib/oauth2/rfc6749/endpoints/introspect.py b/oauthlib/oauth2/rfc6749/endpoints/introspect.py index 7613acc..ac2e328 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/introspect.py +++ b/oauthlib/oauth2/rfc6749/endpoints/introspect.py @@ -63,6 +63,8 @@ class IntrospectEndpoint(BaseEndpoint): log.debug('Token introspect valid for %r.', request) except OAuth2Error as e: log.debug('Client error during validation of %r. %r.', request, e) + if e.status_code == 401: + return {"WWW-Authenticate": "Basic"}, e.json, e.status_code return {}, e.json, e.status_code claims = self.request_validator.introspect_token( diff --git a/oauthlib/oauth2/rfc6749/endpoints/revocation.py b/oauthlib/oauth2/rfc6749/endpoints/revocation.py index d5b5b78..b13faa3 100644 --- a/oauthlib/oauth2/rfc6749/endpoints/revocation.py +++ b/oauthlib/oauth2/rfc6749/endpoints/revocation.py @@ -69,6 +69,8 @@ class RevocationEndpoint(BaseEndpoint): response_body = e.json if self.enable_jsonp and request.callback: response_body = '%s(%s);' % (request.callback, response_body) + if e.status_code == 401: + return {"WWW-Authenticate": "Basic"}, response_body, e.status_code return {}, response_body, e.status_code self.request_validator.revoke_token(request.token, |