HTTP response and headers for AJAX/oData authentication?

How oData or AJAX services should respond when the authentication cookie is expired and it's time to renew?

What should the server send to the client when

1. An oData or AJAX service access is forbidden (access denied)

2. When the session credentials are stale, and need to be renewed, perhaps by redirecting to an ADFS, OpenID, or Azure ACS IDP

Just looking in Wikipedia lets me guess that I should send some version of 403.x for the first scenario, and a 401 for the second scenario.

Please confirm if the above is correct, and what I should include in the response header and body as well.

Some examples I assume to be incorrect do the following:

• Silently error out the AJAX service and return no data
• Attempt to redirect the AJAX call to the 开发者_如何学JAVAIDP
• Send error text to the client that is not in JSON format

its always safe to play with the HTTP Status codes instead of cooking up your own tokens or anything of that sort.

Since the fundamentals of OData is to make it possible for any client which knows how to communicate HTTP, it makes sense to play around the HTTP status code. The clients will decide what to do on a particular status code.

HTTP Status Codes are the way to go. OData specifically doesn't define anything that is already implemented at a lower level (such as security and authentication.)

401 is for Unauthenticated, 403 is for Unauthorized. For secnario 1 you only say "Access denied" but not why you're denying access. Is the user not authenticated? Then return 401. Is the user authenticated but lacking privileges? Then return 403.

For scenario 2, I would agree, return a detailed 401 status (i.e. with a valid "WWW-Authenticate" header for your authentication provider.)

The Wikipedia article I recommend starting at (you may have already found this) is: https://secure.wikimedia.org/wikipedia/en/wiki/List_of_HTTP_status_codes

Hope this helps someone. :-)