0

I am asking maybe an open question about REST authentication practice. We use OpenID to authenticate with REST API. However there are some API where we do POST with body that also contain a secret (to support certain business rules). Now, if that secret is wrong am I still fine to return a 401 error? Does REST prescribe (like HTTP does) where token, password, secret should go in a REST call (e.g. always in HTTP Authorization header...)?

thanks

toto'
  • 1,325
  • 1
  • 17
  • 36
  • Possible duplicate of [What HTTP code to use in "Not Authenticated" and "Not authorized" cases?](https://stackoverflow.com/questions/6113014/what-http-code-to-use-in-not-authenticated-and-not-authorized-cases) – CodeCaster Jun 12 '18 at 12:09

1 Answers1

1

The 401 Unauthorized error is an HTTP status code that means the page you were trying to access cannot be loaded until you first log in with a valid user ID and password. If you have just logged in and received the 401 Unauthorized error, it means that the credentials you entered were invalid for some reason.

Saurabh Mistry
  • 12,833
  • 5
  • 50
  • 71
  • i understand. But my point is on the secret we use in some POST body. Since the client can retry if that is wrong, i find it ok to send a 401 instead of 403. Can't i treat a secret in payload as an authentication "token"? – toto' Jun 12 '18 at 12:30