[Openid-specs-ab] Question about the non-normative example of a UserInfo Error Response
Thomas Broyer
t.broyer at gmail.com
Sun Feb 7 11:01:55 UTC 2016
On Sun, Feb 7, 2016 at 6:54 AM Takahiko Kawasaki <daru.tk at gmail.com> wrote:
> Hello,
>
> I have a question about the non-normative example of a UserInfo Error
> Response in "OpenID Connect Core 1.0, 5.3.3. UserInfo Error Response".
>
> The following is the example in the section.
>
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: error="invalid_token",
> error_description="The Access Token expired"
>
> However, it seems to me that the value of WWW-Authenticate header should
> start with "Bearer " like the following.
>
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: Bearer error="invalid_token",
> error_description="The Access Token expired"
>
> The reason I think so is that "RFC 6750, 3. The WWW-Authenticate Response
> Header Field" says as follows.
>
> All challenges defined by this specification
> MUST use the auth-scheme value "Bearer".
>
Not only that but “RFC 7235, 4.1 WWW-Authenticate” [1] mandates it.
[1] https://tools.ietf.org/html/rfc7235#section-4.1
> Is it okay to start the value of WWW-Authenticate header with "Bearer " in
> my implementation?
>
You actually MUST use "Bearer", the example is wrong.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160207/73ed3787/attachment.html>
More information about the Openid-specs-ab
mailing list