Authorization errors to be specified in protocol documentation #41
Description
@dragotin: I think we should specify this to distinguish wrong credentials (a failed login due to wrong/expired user password) from accessing a resource without permissions with good credentials.
I guess:
- for wrong credentials it is: 401 Unauthorized -- user may/will be asked to re-authenticate (password)
- for good credentials but no permission it is: 403 Forbidden -- user won't be asked to reauthenticate.
Is this correct?