W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Applicability of new status code "4xx Credentials expired"?

From: Jan Algermissen <jan.algermissen@nordsc.com>
Date: Sun, 11 Aug 2013 07:46:47 +0200
Message-Id: <8301C704-EB2B-4CFA-B71E-6BB7339DDDB9@nordsc.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>

before I dive deeper into this, I am interested in immediate reactions from this group.

I am working on token based acess control and have the following use case as part of an experimental protocol I am working on:

A client is given an access token with a certain live time. The client does not know the expiration time, but when it requests a protected resource with an expired token the server should tell the client in the response. This would trigger the client to refresh the access token.

I could do this with an error_code="token-expired" parameter in a 401 but thinking about this, I would find sth like

4xx Credentials Expired 

a much better fit because the status code is AFAIU more suitable when an automatic action by the client is desired. The semantic is also not tied to the protocol I have in mind, but rather generic.

I'd be interested in the resonance such a proposal would provoke. If it is not entirely negative I'd go ahead and draft such a new code.

Received on Sunday, 11 August 2013 05:47:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:14 UTC