[Openid-specs-ab] Question about the non-normative example of a UserInfo Error Response

Brian Campbell bcampbell at pingidentity.com
Mon Feb 8 13:01:32 UTC 2016


FWIW, I created an issue for this
https://bitbucket.org/openid/connect/issues/990/userinfo-error-response-example-missing

On Mon, Feb 8, 2016 at 1:14 AM, Takahiko Kawasaki <daru.tk at gmail.com> wrote:

> Dear Thomas,
>
> Thank you for your clarification. I'll make WWW-Authenticate value start
> with "Bearer".
>
> Best Regards,
> Takahiko Kawasaki
>
>
> 2016-02-07 20:01 GMT+09:00 Thomas Broyer <t.broyer at gmail.com>:
>
>>
>>
>> On Sun, Feb 7, 2016 at 6:54 AM Takahiko Kawasaki <daru.tk at gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I have a question about the non-normative example of a UserInfo Error
>>> Response in "OpenID Connect Core 1.0, 5.3.3. UserInfo Error Response".
>>>
>>> The following is the example in the section.
>>>
>>>     HTTP/1.1 401 Unauthorized
>>>     WWW-Authenticate: error="invalid_token",
>>>       error_description="The Access Token expired"
>>>
>>> However, it seems to me that the value of WWW-Authenticate header should
>>> start with "Bearer " like the following.
>>>
>>>     HTTP/1.1 401 Unauthorized
>>>     WWW-Authenticate: Bearer error="invalid_token",
>>>       error_description="The Access Token expired"
>>>
>>> The reason I think so is that "RFC 6750, 3. The WWW-Authenticate
>>> Response Header Field" says as follows.
>>>
>>>     All challenges defined by this specification
>>>     MUST use the auth-scheme value "Bearer".
>>>
>>
>> Not only that but “RFC 7235, 4.1 WWW-Authenticate” [1] mandates it.
>>
>> [1] https://tools.ietf.org/html/rfc7235#section-4.1
>>
>>
>>> Is it okay to start the value of WWW-Authenticate header with "Bearer "
>>> in my implementation?
>>>
>>
>> You actually MUST use "Bearer", the example is wrong.
>>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160208/a193b744/attachment.html>


More information about the Openid-specs-ab mailing list