Several cases on Account Locked

shawnw
Minnow

Posts: 19

Several cases on Account Locked Oct 5, 2023 9:49:41 GMT

Quote

Post by shawnw on Oct 5, 2023 9:49:41 GMT

Hi,

I have some questions about "Account Locked". I'm not sure about the appropriate behavior.

Case 1: If a locked account attempts to log in with an incorrect password:

Should Redfish return a 401?

Case 2: If a locked account attempts to log in with the correct password:

Should Redfish return a 403? Or, would it be more secure to return a 401 to avoid revealing that the user exists?

Many Thanks,
Shawn

mraineri Administrator Posts: 1,138	Several cases on Account Locked Oct 5, 2023 12:33:38 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by mraineri on Oct 5, 2023 12:33:38 GMT It's 401 for both cases. 403 would imply you accepted the credentials, but could not perform the requested operation. When an account is locked, I would not expect the credentials to ever be accepted, even if they are valid.

shawnw Minnow Posts: 19	Several cases on Account Locked Oct 6, 2023 2:50:04 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by shawnw on Oct 6, 2023 2:50:04 GMT Thanks! That makes sense!

Post by shawnw on Oct 5, 2023 9:49:41 GMT

Post by mraineri on Oct 5, 2023 12:33:38 GMT

Post by shawnw on Oct 6, 2023 2:50:04 GMT