[Openid-specs-ab] Corrected Registration error response examples to use WWW-Authenticate

Mike Jones Michael.Jones at microsoft.com
Tue Dec 17 16:25:58 UTC 2013


Thanks for reviewing, guys.  I've corrected the example at http://openid.bitbucket.org/openid-connect-registration-1_0.html#RegistrationError.  The example with the access token error at http://openid.bitbucket.org/openid-connect-registration-1_0.html#ReadError remains as it was.

                                                            Thanks,
                                                            -- Mike

From: Brian Campbell [mailto:bcampbell at pingidentity.com]
Sent: Tuesday, December 17, 2013 5:57 AM
To: Nat Sakimura
Cc: Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Corrected Registration error response examples to use WWW-Authenticate

The first example at http://openid.bitbucket.org/openid-connect-registration-1_0.html#RegistrationError should be put back to showing the error in JSON in the response body.  invalid_redirect_uri is a registration error which doesn't make sense with WWW-Authenticate or RFC 6750

See also Vladimir and my comments on https://bitbucket.org/openid/connect/issue/912/registration-33-client-registration-error

On Mon, Dec 16, 2013 at 7:03 PM, Nat Sakimura <sakimura at gmail.com<mailto:sakimura at gmail.com>> wrote:
Assuming the link has been updated, the example code seems to be wrong.

It states:


  HTTP/1.1 400 Bad Request

  WWW-Authenticate: error="invalid_redirect_uri",

    error_description="One or more redirect_uri values are invalid"

  Cache-Control: no-store

  Pragma: no-cache

As you can see, this is missing the required authorization schema, which in our case is "Bearer".
The same is true for the ReadError.

RFC6750 states the example correctly as:


     HTTP/1.1 401 Unauthorized

     WWW-Authenticate: Bearer realm="example",

                       error="invalid_token",

                       error_description="The access token expired"



Best,

Nat

2013/12/16 Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
The Registration error responses are specified to return errors using the mechanism defined in RFC 6750, but the examples didn't do this.  This has now been corrected.

See http://openid.bitbucket.org/openid-connect-registration-1_0.html#RegistrationError and http://openid.bitbucket.org/openid-connect-registration-1_0.html#ReadError.

                                                            -- Mike


_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131217/387442f5/attachment-0001.html>


More information about the Openid-specs-ab mailing list