OAuth

Errors

This is completely vanilla as per the OAuth 2.0 standard specification. This overview is available for informational purpose and to highlight difference between the Base API standard errors response format and the OAuth authorization error response format.


Header

An error response will specify the Content-Language of the response and have the Content-Type parameter set to application/json; charset=utf-8. In addition, the Authorization Server includes the Cache-Control: no-store and Pragma: no-cache headers in order to prevent any intermediate cache servers from storing responses with any sensitive information.


Body

The basic structure of an error response is a JSON object that holds error information at the highest object level. Error fields are described the table below.

Name Description
error The error code. One of Error Codes
error_description An optional human readable error description in a language specified by the Content-Language header.
error_uri An optional link to resources that can be helpful for problem solving.

HTTP status codes summary

OAuth authorization requests can produce responses with the following HTTP status codes.

HTTP Status Code HTTP Status Message Meaning
200 OK Everything worked as expected. The response includes a non empty body.
400 Bad Request Returned with every error except for those specified below.
401 Unauthorized Returned only with either invalid_client or invalid_token errors.
403 Forbidden Returned only with insufficient_scope error.

Error Codes

Below you will find a summary of error codes and corresponding HTTP status codes for every OAuth flow Base supports.


Requesting an Authorization via /oauth2/authorize

Error Code HTTP Status Code Meaning
invalid_request 400 The request is malformed, a required parameter is missing or a parameter has an invalid value.
unauthorized_client 400 The client is not authorized.
access_denied 400 The resource owner denied the request for authorization.
unsupported_response_type 400 Unsupported response type.
invalid_scope 400 The scope is malformed or invalid.
server_error 400 Unexpected error.
temporarily_unavailable 400 The authorization server is not able to handle the request.

Requesting an Access Token via /oauth2/token

Error Code HTTP Status Code Meaning
invalid_request 400 The request is malformed, a required parameter is missing or a parameter has an invalid value.
invalid_client 401 Client authentication failed.
invalid_grant 400 Invalid authorization grant, grant invalid, grant expired, or grant revoked.
unauthorized_client 400 Client is not authorized to use the grant.
unsupported_grant_type 400 Authorization grant is not supported by the Authorization Server.
invalid_scope 400 The scope is malformed or invalid.

Revoking a Token via /oauth2/token/revoke

Error Code HTTP Status Code Meaning
invalid_request 400 The request is malformed, a required parameter is missing or a parameter has an invalid value.
invalid_client 401 Client authentication failed.
invalid_grant 400 Invalid authorization grant, grant invalid, grant expired, or grant revoked.
unauthorized_client 400 Client is not authorized to use the grant.
unsupported_grant_type 400 Authorization grant is not supported by the Authorization Server.
invalid_scope 400 The scope is malformed or invalid.
unsupported_token_type 400 The Authorization Server does not support revocation of the presented token type.