What HTTP code should I use when I can’t authenticate to third-party services with login and password provided by the client earlier?

Asked

Viewed 2,766 times

17

I am implementing a service from a website that does the following:

  • My website (A) connects to some external services provided by third parties (B, C and D) using webservices.

  • In fact A is a REST API in the backend that is accessed by frontend javascript. The frontend is not necessarily mine, the client can develop his own frontend by accessing my REST API if so he prefer.

  • Each user of my site A has a login and password on site B, one on site C and one on site D. Each of these logins and passwords of sites B, C and D are saved in my database, through a functionality offered to the user for this purpose. These logins and passwords are different from each other and different from the login and password that I use to log the customer into the site A.

  • There are some features that the customer accesses on my site A that depend on the integration with services B, C and D, and at this time the login and password of the respective integrated service is used.

  • Sometimes the login and password sent to B, C or D are wrong because my user (from site A) saved them incorrectly when using the functionality that saves these logins and passwords in the database.

Well, my question is what HTTP status code I return to the client’s browser when the login and password for the integration are wrong.

There are some unofficial status used around, but none of them seem to suit either.

So none of the 4xx and 5xx official HTTP codes I found specified anywhere seem to make sense to my case. So, what should I do? What HTTP code should I use and why? If none of the official status codes are adequate, would it be better for me to invent one for that or force the use of some already existing ones? If you are forcing the use of an existing one, what it would be and why?

Furthermore, I note that this problem of mine must be something common and recurrent, and therefore should already be covered in some of the existing codes.

Another point is that I am not sure if it is a problem in the client (4xx) or server (5xx), since the client request could not be answered due to a problem in the integration in the server side (5xx)however the reason for this failure is because the client provided incorrect information (4xx), but this information was not passed by the client at the time of the request, but was stored on the server side (5xx).

Note 1: I am aware of the questions about storing customers' login and password for third-party services rather than asking them for each request and the security implications of this. However, what I’m asking has little bearing on this.

Note 2: Considering the comments and the two responses posted, I clarify that I cannot simply return 200 indiscriminately for any request to then impose on the client to interpret the answer to know if there was an error or not. Return a 400 for any and every error and expect the same from the customer is also out of the question. It is an important requirement that HTTP status code should be an informational code.

Note 3: For now, I am using a custom code 432 for this situation.

rest http restful http-status

  • in my opinion, HTTP Status refers to your website, not the integrated services. If site A is working correctly, the answer should be 200, if there is any integration problem due to typo, your site A should inform your customer that the integration did not happen due to typo, and indicating that customer profile settings should be corrected. If you return a 4xx or 5xx error, it will indicate an error on your site.

  • The answer seems simple to me - your site is the status reference. If functional (integration does not cause catastrophic failure) then you managed to manage the state: 200 OK. If the integration makes the implementation of the action impossible, 500 Internal Server Error. (Edit) Ricardo’s point is perfect. Integrations are part of its application.

  • @Ricardo Answering something with a "200 Authentication error" is a bit strange, don’t you think?

  • @Onosendai Um 500 Internal Server Error asking the client to properly configure the login and password is not exactly what can be considered an internal error of the server.

  • 1

    @Maybe I didn’t make myself clear. If the user credentials are wrong, and the remote service has not accepted them, this is not a mistake on your system - you need to implement a flow that fixes the configuration. Meanwhile, its application is still functional; You will need to guide the user through another process flow, but this does not imply an error: 200 OK indicates that your application still works. Unless it is just a proxy.

  • 1

    @Victorstafusa, the customer accesses your Site A, so whenever you’re online the response from your Site A will be 200. If the response of the other services is different, you indicate on one page the response of each service. If you "assume" the error of site B or site C, it is your site A that is in trouble.

  • If your application, however, has no treatment flow to wrong credentials and catastrophically because of this, this is an application error (and 5xx seems valid to me.)

  • @Onosendai Ok, I edited the question to clarify this. Actually the A application has two parts, a REST API in the backend and the frontend. If it’s just for the API to chat with my front, I can put whatever code I want and that’s it, but my question is from the REST API point of view if used by other applications, which would be the most appropriate code.

  • @Ricardo See the last comment I made to Onosendai.

  • 1

    http://stackoverflow.com/questions/942951/rest-api-error-return-good-practices, same theme, has several responses and diagrams.

  • I know it sounds fun, but I always consult the HTTP cats https://http.cat/ for this... The real answer depends a lot on how your will be standard client implementation, the consumer model of their service.

  • This is a very heuristic question, its specific case is a method not commonly used. Well, in my view it is a fault of the 5xx server if it was not possible to communicate with the third party services to authenticate. However, if your service is working and the credentials provided by you are not being accepted by third party services, then it is code 4xx on the condition that the credentials have not been accepted and because they are incorrect or have been provided incorrectly.

  • @Leonancarvalho Yes, in the first case you mentioned, a 502 solves. The second case is the problem I describe in the question. I also came to the conclusion that this is a 4xx because it is something that the client has to act on and the "fault" is his. Currently I put a custom code 432 for this situation.

  • Can 3rdparty Apis be configured by the end user or not? I mean, he can change passwords of A, B, C and D so possibly responsible for authentication failures?

  • @Guilhermenascimento Yes, the user configured their passwords for services A, B, C and D. However, to be honest, I am no longer involved with the project in question, but even so, I’m still curious to know what would be the best approach.

  • I’m not going to give you an answer because it’s just my opinion and I’ve been wanting to comment on your question for a while. I think that if the user after logged in to "A" accesses "B" and "C" and the panel "A" can adjust and the notifications messages with errors are reported to be of the 3rdparty, then it would be 403. But if the feed is a type of synchronization and the adjustments have to be made directly by panels in the 3rdparty then it would be 500, because for the server "A" the situation is unexpected and the process is indirect. I hope I’ve been able to explain my point of view :)

Show 11 more comments

5 answers

3

As you do multiple operations, some work and others don’t, you can use the multi status (207) and list the appropriate status by operation.

  • Interesting approach. I don’t know what to think about her yet. I’ll reflect a little.

2

I consider that 403 (Forbidden) makes sense in this case. I’ve already used 400 (Bad request) in similar cases - it’s a little accurate, but I still think acceptable.

The justification for the use of track 4xx is that it is a client error, although detected on the server. It was the customer (the user, not the software he is using) who reported incorrect credentials.

1

A user had posted an answer, but he deleted it. Personally, I don’t agree with her because I don’t think it’s right to return 200 in case of error, but anyway, I copy the deleted answer from him here the way it was when it was deleted so that the content is not lost:

After reading about it:

I would stay with the answer found in the last:

There’s a Lot of smart people at Facebook and they built an API that only Ever Returns 200.

The basic argument Against bothering with specific status codes is this: the existing status codes are Much Too general for a Modern website/API

Translation: Status codes are too vague for modern applications.

Microsoft presents 25 possible situations for Code 400.

0

I would go from 500. Explain.

Think who’s integrating with your "A" API doesn’t care - from what I understand your question - about authentication for these internal Apis. The fact is that the user of your API tried to make a request and could not complete it.

As a 401 is most expected for the current request and all 4xx are Client Errors, i would treat this problem as an unforeseen error on the server. That is, a 500 error. As it is in the sent link:

The server encountered an Unexpected condition that prevented it from fulfilling the request.

It seems to be an unexpected condition. There is nothing the user can do in the "A" Rest service and support (or development team) will need to act to resolve the situation. To help, add an error return message (or error code) with the explanation: authentication to an internal system was not possible to be completed by a user problem or password for the B/C/D API (if you can provide these details, of course).

Even if you don’t agree with my answer, keep in mind that you won’t always find the right HTTP code for your problem. An example: what HTTP code to use to validate if a field of a register is larger than allowed? You’ll find there’s a good discussion on the Internet about this.

Ideally, choose the HTTP code that makes the most sense to you and set it as the default for the problem you’re solving.

  • I do not agree. The error in the case is the fault of the client, not the server. Nor is it an unforeseen error. On second thought, my problem corresponds to a class of errors where the request does not succeed because the client must first perform other actions before attempting to perform the request again (actions that are not simply authenticating on the server). Therefore, I tend to think that a code 4xx would be appropriate. As for validation, I know that there is a strong debate between the 400, the 422 and other alternatives.

  • @Victorstafusa, if the client can take some action, I believe I can understand how even Clienterror (4xx). I need to look at the problem from this point of view again, but it looks like the 401 would be the best choice.

-1

It doesn’t really seem to have a code that meets this situation, since in your case the request will be processed correctly.

I believe code 200 is the most appropriate, with a custom error message.

  • Code 200 is OK, means everything is right, green light, etc. The situation requires an authentication fault code or internal server error.

Browser other questions tagged rest http restful http-status

You are not signed in. Login or sign up in order to post.