Skip to content

Status codes for unauthenticated OAuth errors  #213

Open
@tadhglewis

Description

Bit of context, I have an authenticated Apollo Server using OAuth.

There is a bit of a conflict between OAuth spec and GraphQL as the OAuth spec recommends returning 401 for unauthenticated/expired tokens but my understanding is the current recommendations for status codes in GraphQL is (almost) always return 200.

GraphQL, by design, does not use the same conventions from REST to communicate via HTTP verbs and status codes. Client information should be contained in the schema or as part of the standard response errors field.

https://www.apollographql.com/docs/apollo-server/data/errors/#returning-http-status-codes

However it seems with the current draft spec here https://github.com/graphql/graphql-over-http/blob/main/spec/GraphQLOverHTTP.md#status-codes, you should be returning status codes.

What are the thoughts around status codes specifically when using OAuth? What status code should unauthenticated errors cause?

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions