Archived 2023.09.04. Content moved to CDS Guide, Guidance on Client Authentication
Question
In Consumer Data Standards (CDS), Client Authentication, if an API is invoked with insufficient permission or scopes, then is a 403 error with a resource forbidden
code an appropriate response or should a 4xx error with a general error
code be used as a response?
Answer
For Client Authentication, where the authorised scopes do not permit the client calling a particular endpoint, due to insufficient permissions, a 403 forbidden error response is permissible.
However, if the error behaviour is described by the upstream normative standard, then that standard takes precedence over the CDS. Please efer to the oAuth specification for permissible error responses.
Comments
0 comments
Please sign in to leave a comment.