[Openid-specs-ab] Question about the non-normative example of a UserInfo Error Response

Takahiko Kawasaki daru.tk at gmail.com
Mon Feb 8 08:14:07 UTC 2016


Dear Thomas,

Thank you for your clarification. I'll make WWW-Authenticate value start
with "Bearer".

Best Regards,
Takahiko Kawasaki


2016-02-07 20:01 GMT+09:00 Thomas Broyer <t.broyer at gmail.com>:

>
>
> On Sun, Feb 7, 2016 at 6:54 AM Takahiko Kawasaki <daru.tk at gmail.com>
> wrote:
>
>> Hello,
>>
>> I have a question about the non-normative example of a UserInfo Error
>> Response in "OpenID Connect Core 1.0, 5.3.3. UserInfo Error Response".
>>
>> The following is the example in the section.
>>
>>     HTTP/1.1 401 Unauthorized
>>     WWW-Authenticate: error="invalid_token",
>>       error_description="The Access Token expired"
>>
>> However, it seems to me that the value of WWW-Authenticate header should
>> start with "Bearer " like the following.
>>
>>     HTTP/1.1 401 Unauthorized
>>     WWW-Authenticate: Bearer error="invalid_token",
>>       error_description="The Access Token expired"
>>
>> The reason I think so is that "RFC 6750, 3. The WWW-Authenticate Response
>> Header Field" says as follows.
>>
>>     All challenges defined by this specification
>>     MUST use the auth-scheme value "Bearer".
>>
>
> Not only that but “RFC 7235, 4.1 WWW-Authenticate” [1] mandates it.
>
> [1] https://tools.ietf.org/html/rfc7235#section-4.1
>
>
>> Is it okay to start the value of WWW-Authenticate header with "Bearer "
>> in my implementation?
>>
>
> You actually MUST use "Bearer", the example is wrong.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160208/268c6a84/attachment.html>


More information about the Openid-specs-ab mailing list