[Openid-specs-ab] Question about the non-normative example of a UserInfo Error Response

Nat Sakimura sakimura at gmail.com
Mon Feb 8 14:09:15 UTC 2016


Thanks. Good catch. Need to go into next batch of errata.

Nat

2016年2月8日(月) 22:09 Brian Campbell <bcampbell at pingidentity.com>:

> FWIW, I created an issue for this
> https://bitbucket.org/openid/connect/issues/990/userinfo-error-response-example-missing
>
> On Mon, Feb 8, 2016 at 1:14 AM, Takahiko Kawasaki <daru.tk at gmail.com>
> wrote:
>
>> Dear Thomas,
>>
>> Thank you for your clarification. I'll make WWW-Authenticate value start
>> with "Bearer".
>>
>> Best Regards,
>> Takahiko Kawasaki
>>
>>
>> 2016-02-07 20:01 GMT+09:00 Thomas Broyer <t.broyer at gmail.com>:
>>
>>>
>>>
>>> On Sun, Feb 7, 2016 at 6:54 AM Takahiko Kawasaki <daru.tk at gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I have a question about the non-normative example of a UserInfo Error
>>>> Response in "OpenID Connect Core 1.0, 5.3.3. UserInfo Error Response".
>>>>
>>>> The following is the example in the section.
>>>>
>>>>     HTTP/1.1 401 Unauthorized
>>>>     WWW-Authenticate: error="invalid_token",
>>>>       error_description="The Access Token expired"
>>>>
>>>> However, it seems to me that the value of WWW-Authenticate header
>>>> should start with "Bearer " like the following.
>>>>
>>>>     HTTP/1.1 401 Unauthorized
>>>>     WWW-Authenticate: Bearer error="invalid_token",
>>>>       error_description="The Access Token expired"
>>>>
>>>> The reason I think so is that "RFC 6750, 3. The WWW-Authenticate
>>>> Response Header Field" says as follows.
>>>>
>>>>     All challenges defined by this specification
>>>>     MUST use the auth-scheme value "Bearer".
>>>>
>>>
>>> Not only that but “RFC 7235, 4.1 WWW-Authenticate” [1] mandates it.
>>>
>>> [1] https://tools.ietf.org/html/rfc7235#section-4.1
>>>
>>>
>>>> Is it okay to start the value of WWW-Authenticate header with "Bearer "
>>>> in my implementation?
>>>>
>>>
>>> You actually MUST use "Bearer", the example is wrong.
>>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160208/263dcac5/attachment-0001.html>


More information about the Openid-specs-ab mailing list