I’m not sure if this discussion has come up before, but I’ve been looking into why some of our users are getting access denied (403) rather than unauthorized (401) when their token has expired.
Tyk is returning 403 when validation fails:
https://github.com/TykTechnologies/tyk/blob/master/mw_openid.go#L107
Please correct me if I’m wrong, but the oauth spec says that 401 should be returned when the token is invalid:
RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage (I think I’m looking at the right spec here?).
Thanks.
