Token Expired - JSON REST API - Error Code

Question

I've got a JSON REST API. There is a handshake that will give you a token that is valid for 15 minutes. All calls you do within those 15 minutes should work ok. After the 15 minutes I am returning an error object (includes code, message, success = false) but I was also wondering what HTTP Error Code I should return? And will using a HTTP error code mess up certain clients? (HTML5, iPhone, Android). What is considered best practice in this scenario?

+1, great question. Did you ever find a good solution to this? (btw - both [netflix](http://developer.netflix.com/docs/read/HTTP_Status_Codes) and [linkedin](https://developer.linkedin.com/documents/handling-errors-invalid-tokens) returns a 401). — Lasse Christiansen, Jul 12 '14 at 12:21
Possible duplicate of [What status code should I use when session token is invalid?](https://stackoverflow.com/questions/20613088/what-status-code-should-i-use-when-session-token-is-invalid) — Michael Freidgeim, Oct 07 '17 at 09:58
@FindOutIslamNow, "Possible duplicate" is a way to clean-up - to close similar questions and keep one with the best answers. The date is not essential. See http://meta.stackexchange.com/questions/147643/should-i-vote-to-close-a-duplicate-question-even-though-its-much-newer-and-ha If you agree that it requires clarification please vote on http://meta.stackexchange.com/questions/281980/add-clarification-link-to-possible-duplicate-automated-comment — Michael Freidgeim, Apr 04 '19 at 10:21

score 117 · Answer 1 · edited Sep 17 '15 at 14:02

117

You should return a 401 Unauthorized Status Code. You might additionally provide hypermedia to establish the token again

Think about what happens in a web app. You go to say a banking site. If not auth'd it will send you to the log in page. Then you log in and you are good to go for a time. Then it expires and the cycle repeats.

Just a thought.

edited Sep 17 '15 at 14:02

Philipp Kyeck

18,402
15
86
123

answered Jan 14 '12 at 02:51

suing

2,808
2
16
18

score 54 · Answer 2 · edited Oct 07 '21 at 07:34

54

according to the spec rfc6750 - "The OAuth 2.0 Authorization Framework: Bearer Token Usage", https://www.rfc-editor.org/rfc/rfc6750, p.8, section 3.1, resource server should return 401:

invalid_token The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code. The client MAY request a new access token and retry the protected resource request.

edited Oct 07 '21 at 07:34

Community

1
1

answered Sep 16 '16 at 07:58

Louis

581
4
5

3

Note _SHOULD_ vs. _MUST_. As a caller, would be nice to be able to rely on 401. Oh well. – dbreaux Jan 28 '19 at 23:38

score 15 · Answer 3 · answered Jul 17 '14 at 18:37

15

FWIW Facebook uses 400 with a custom JSON response. I personally would prefer 401 with custom JSON response.

Here is FB's response body:

{
  "error": {
    "message": "Error validating access token: Session has expired on Jul 17, 2014 9:00am. The current time is Jul 17, 2014 9:07am.",
    "type": "OAuthException",
    "code": 190,
    "error_subcode": 463
  }
}

answered Jul 17 '14 at 18:37

rynop

50,086
26
101
112

43

Something tells me Facebook should be treated as exception, not guideline for development. Just saying. – Victor Ivens Sep 17 '16 at 22:13
7

Is it a call to Facebook as to an authorization server, or to a resource provider? The authorization server should return 400 : https://tools.ietf.org/html/rfc6749#section-5.2 , but the resource provider should return 401 – Michael Freidgeim Oct 07 '17 at 21:04

Token Expired - JSON REST API - Error Code

3 Answers3