1

We have a rest service that we use to authenticate our clients. There are some cases where we want to report to the client more information than just "authorization failed". For example if their account gets locked after too many attempts we will report to the client that their account was locked. There are other instances, because of business use cases, where we will report other problems to them. Any of these issues will deny the user from logging in even if there username/password is correct.

I think probably returning an 401 Authorized is probably incorrect for these situations but after reviewing the http status codes i'm not sure what kind of return code would be appropriate. Maybe a 403 Forbidden? Realize I'll have to return wording for the issue to the client.

Ronan Boiteau
  • 8,035
  • 6
  • 32
  • 47
coding4fun
  • 7,611
  • 9
  • 53
  • 76

1 Answers1

2

Even though the client has the right login and password, he doesn't have the mandatory permissions to go further, so I'd choose 403 Forbidden.

The difference between 401 Unauthorized and 403 Forbidden is detailed here.

Ronan Boiteau
  • 8,035
  • 6
  • 32
  • 47
  • Here is a nice blog with flow diagrams that allows you to chose the correct http status code for quite a few scenarios. http://stackoverflow.com/questions/34185445/correct-return-status-code-for-authentication-issues – Dijkgraaf Dec 09 '15 at 22:16