[abacus] Securing REST endpoints using OAuth bearer access token
Saravanakumar A. Srinivasan
I am working on implementing (see Github commit at  for more details) an Express middleware to authenticate incoming requests using OAuth bearer access token. We want to make sure our implementation follows the OAuth 2.0 Authorization Framework specification when processing client requests.
While reading the specification I came across a section where the spec lists error codes to use when we get an invalid request. In there, the invalid_request error code seems to suggest that we need to validate required request parameters for a particular request before we authenticate the user and return HTTP response code 400 with appropriate error code and error message. It also mentions that we need to return HTTP response code 401, when a request does not contain any authentication information. So it sounds odd for me to validate the request parameters before we validate the authentication of the request.
Saravanakumar Srinivasan (Assk),
Bay Area Lab, 1001, E Hillsdale Blvd, Ste 400, Foster City, CA - 94404.
Phone: 650 645 8251 (T/L 367-8251)