[Openid-specs-ab] Question about the non-normative example of a UserInfo Error Response

Takahiko Kawasaki daru.tk at gmail.com
Sun Feb 7 05:54:16 UTC 2016


Hello,

I have a question about the non-normative example of a UserInfo Error
Response in "OpenID Connect Core 1.0, 5.3.3. UserInfo Error Response".

The following is the example in the section.

    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: error="invalid_token",
      error_description="The Access Token expired"

However, it seems to me that the value of WWW-Authenticate header should
start with "Bearer " like the following.

    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: Bearer error="invalid_token",
      error_description="The Access Token expired"

The reason I think so is that "RFC 6750, 3. The WWW-Authenticate Response
Header Field" says as follows.

    All challenges defined by this specification
    MUST use the auth-scheme value "Bearer".

Is it okay to start the value of WWW-Authenticate header with "Bearer " in
my implementation?

Best Regards,
Takahiko Kawasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160207/8e938222/attachment.html>


More information about the Openid-specs-ab mailing list