bastienbot bastienbot - 16 days ago 9
HTTP Question

What should be the response code when error is generated by third party application?

I built a web application that basically ask the user for credentials with a form (for a random 3rd party service, knowing which one does not matter).
Once the user filled the form with the 3rd party service app token, a request with the token is sent to the application backend, the backend gets the token and send a request to the 3rd party service in order to check if the token is valid.
At this point the 3rd party service returns a response to the backend with either

200 - {randomObject: object}
or
401 - Unauthorized
.

So here is my question : If the 3rd party service returns 401, should the backend returns
200 - false
or
401 - Unauthorized
?

Me and my colleague have been arguing about this.
My point is that the access to the application backend is authorized and the parameters are correct (a token is present in the request), so the response should be 200 but the content of the response should indicate wether or not the token is valid.
His point is that since the token is not valid (as the 3rd party service tells the backend), the backend should return
401 - Unauthorized
.

Just so we're clear, I know that the outcome is in both cases the same, as a matter of fact this functionality already works, I just want to know is there are some sort of convention regarding this specific matter.

Thank you

Answer

I would go for either 400 or 401.

401 might be misleading because access to your API was not unauthorized. (especially if your api also requires authentication)

on the other hand 400 should works well :

The 400 (Bad Request) status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error