What's a good http status code for returning an expired password?
If the password has expired, which api should it return? I mean: the username and password are correct but expired.
Here I found that
Credential expiration or revocation mechanisms can be specified as part of the authentication scheme definition.
Is there a specification for what is the correct and / or correct http status code for stale credentials? Is the http status code useful for handling expired credentials?
source to share
The expired password is not a valid password and should not be accepted by the server.
So if you are using HTTP Authentication (sending credentials in Authorization
) you can use 401
with a descriptive payload.
Here are some quotes from RFC 7235 , link for authentication in HTTP / 1.1:
The header field
Authorization
allows the authenticator of the user to himself with the origin server - usually, but not necessarily, after receiving a response401
(unauthorized). Its value consists of credentials containing user agent authentication information for the scope of the requested resource.Authorization = credentials
[...]
The status code
401
(unauthorized) indicates that the request was not applied because it does not have valid credentials for the target resource. The server generating the 401 response MUST send aWWW-Authenticate
header field containing at least one call applicable to the target resource.If the request includes authentication credentials, then the
401
response indicates that permission was denied for those credentials. [...]
source to share