Time  Nick      Message
07:50 andern    i understand the difference between status code 401 and 403 and when to return them, but what's the correct status code to return when the authentication itself failed? Let's say I have authenticated and i try to GET from /api/Persons/. The session has timed out and it would be appropriate to return 401. However, what would be a proper status code if a POST to /api/authenticate with the wrong username/passwor
07:50 andern    d?
08:00 trygvis   //api/authenticate is just a resource like other resources, so 200 OK or 400/422
08:40 timg___   when using problem+json whats the "type" (url) of a classical 404 response? i dont want to define all the docs!`?
09:22 trygvis   timg___: I don't understand your question
09:23 timg___   problem+json force the "type" to be an url.
09:24 timg___   trygvis: so what url/type is supposed to be used for classic 404 responses?
09:30 trygvis   I would say "about:blank" and use "Not Found" for "title"; https://tools.ietf.org/html/draft-nottingham-http-problem-07#section-4.2
12:22 pith      I didn't know this draft, it looks interesting. Thanks for the link
17:01 vioz      would it be valid for me to ask a question about jwt in here?
17:01 pdurbin   vioz: what is it?
17:02 vioz      i'm wondering if i should use JWT for authenticating users in a SPA
17:04 vioz      i think i recall reading that cookies were better, but i know i've read that in-memory session handling doesn't scale
17:07 pdurbin   oh, it's that json thing, right?
17:07 pdurbin   searchbot: lucky jwt json token
17:07 searchbot pdurbin: http://jwt.io/
17:07 pdurbin   right, right. RFC 7519 - JSON Web Token (JWT) - https://tools.ietf.org/html/rfc7519
17:08 pdurbin   someone here might know but there's also https://ask.auth0.com/category/jwt linked from their homepage