[Openid-specs-ab] Question about the non-normative example of a UserInfo Error Response

Thomas Broyer t.broyer at gmail.com
Sun Feb 7 11:01:55 UTC 2016


On Sun, Feb 7, 2016 at 6:54 AM Takahiko Kawasaki <daru.tk at gmail.com> wrote:

> Hello,
>
> I have a question about the non-normative example of a UserInfo Error
> Response in "OpenID Connect Core 1.0, 5.3.3. UserInfo Error Response".
>
> The following is the example in the section.
>
>     HTTP/1.1 401 Unauthorized
>     WWW-Authenticate: error="invalid_token",
>       error_description="The Access Token expired"
>
> However, it seems to me that the value of WWW-Authenticate header should
> start with "Bearer " like the following.
>
>     HTTP/1.1 401 Unauthorized
>     WWW-Authenticate: Bearer error="invalid_token",
>       error_description="The Access Token expired"
>
> The reason I think so is that "RFC 6750, 3. The WWW-Authenticate Response
> Header Field" says as follows.
>
>     All challenges defined by this specification
>     MUST use the auth-scheme value "Bearer".
>

Not only that but “RFC 7235, 4.1 WWW-Authenticate” [1] mandates it.

[1] https://tools.ietf.org/html/rfc7235#section-4.1


> Is it okay to start the value of WWW-Authenticate header with "Bearer " in
> my implementation?
>

You actually MUST use "Bearer", the example is wrong.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160207/73ed3787/attachment.html>


More information about the Openid-specs-ab mailing list