You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So in other words 401 means "You are either not logged in or your login is invalid", whereas 403 means "You do not have permissions to see this or no one has permissions".
The standard for 401 then goes on:
The response MUST include a WWW-Authenticate header field
In our case Bearer would be the appropriate scheme
This raises the question why we do not use the standard Authorization: Bearer <token> in the first place, since this is the suggested method for JWTs.
Not using this scheme currently also requires some minor configuration on the frontend-side (see the app.module)
The text was updated successfully, but these errors were encountered:
gernot303
changed the title
As a developer I want to use the right HTTP-Code for failed token authentication (401 vs 403)
As a developer I want to use the right http-code for failed token authentication (401 vs 403)
Jan 14, 2017
403 Forbidden
vs401 Unauthorized
401
403
RFC 2616
So in other words
401
means "You are either not logged in or your login is invalid", whereas403
means "You do not have permissions to see this or no one has permissions".The standard for
401
then goes on:In our case
Bearer
would be the appropriate schemeThis raises the question why we do not use the standard
Authorization: Bearer <token>
in the first place, since this is the suggested method for JWTs.Not using this scheme currently also requires some minor configuration on the frontend-side (see the app.module)
The text was updated successfully, but these errors were encountered: