According to RFC 6749 (The OAuth 2.0 Authorization Framework):
5.2. Error Response
The authorization server responds with an HTTP 400 (Bad Request)
status code (unless specified otherwise).
From https://tools.ietf.org/html/rfc6749#section-5.2
As you can see in this section of RFC, the only exception is the "invalid_client" error, when the HTTP 401 (Unauthorized) status code may be supplied.
But, looking at the TokenError, we see these status codes, which go against the RFC:
function TokenError(message, code, uri, status) {
if (!status) {
switch (code) {
case 'invalid_request': status = 400; break;
case 'invalid_client': status = 401; break;
case 'invalid_grant': status = 403; break;
case 'unauthorized_client': status = 403; break;
case 'unsupported_grant_type': status = 501; break;
case 'invalid_scope': status = 400; break;
}
}
...
}
According to RFC 6749 (The OAuth 2.0 Authorization Framework):
From https://tools.ietf.org/html/rfc6749#section-5.2
As you can see in this section of RFC, the only exception is the "invalid_client" error, when the HTTP 401 (Unauthorized) status code may be supplied.
But, looking at the TokenError, we see these status codes, which go against the RFC: