So I’ve finished my OAuth2 dance and am ready to use my new access token to get at some protected resource. The spec explicitly states that errors while accessing protected resources are “out of scope”. That includes the “error” where the access token has expired. Since there’s no way to tell if its a real request error (like the caller trying to get at something that doesn’t exist) or something that would succeed with a correct access token, my solution is to trap 400-series er...
