IOS 8 shows popup for basic auth at 401 for OAuth

I have a JavaScript application that publishes a native API, the OAuth2 API, and we include the access token in the request header:

Authorization:Bearer 2267a056aab4100228a046267bfdfef6c2d73aaec66403eddf854914fa829310

      

and when we try to post to the api with an expired token, we return 401 (as we should) with this header:

WWW-Authenticate:OAuth realm='OAuth API', error='expired_token'

      

but on iOS this brings up the "basic auth" popup asking for a username and password, which is not only wrong (I'm sure) but also confuses our users.

Is there a way to prevent iOS from doing this popup?

+3


source to share


2 answers


This seems to match the Response for error invalid grant

and allows for a 400 response .

http://tools.ietf.org/html/rfc6749#section-5.2



invalid_grant - The granted permission to grant the permission (for example, permission code, resource owner accounts) or the refresh token is invalid, expired, revoked, does not match the redirect URI used in the authorization request, or was issued by another client.

410 Gone doesn't really work as an answer as the token still exists, it just expired or is invalid.

+1


source


I personally would use

410 Gone



The requested resource is no longer available on the server and the forwarding address is known. This condition is expected to be considered permanent.

0


source







All Articles