W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: BCP for returning HTTP Authentication (2617) Error Status (questions from the OAuth WG)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 11 May 2011 09:35:30 +0200
Message-ID: <4DCA3C42.2090101@gmx.de>
To: Eran Hammer-Lahav <eran@hueniverse.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On 09.05.2011 18:49, Eran Hammer-Lahav wrote:
> ...
> The OAuth WG is seeking guidance on the following questions:
>
> 1. Should the WG define a general purpose method for returning errors with a 401 WWW-Authenticate headers, including a cross-scheme error code registry?
> ...

Not sure. Are there error conditions servers *want* to reveal, and which 
also have interoperable implications for clients across authentication 
schemes? That is, can they really be re-used?

If that's the case, a standalone document defining these parameters, 
with an easy way for new schemes to include these params would make sense.

> ...
> [2] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04
> ...

That being said, here are a few comments about the aforementioned spec.

    error           = "error" "=" quoted-string
    error-desc      = "error_description" "=" quoted-string
    error-uri       = "error_uri" = <"> URI-reference <">

This probably should be

    error           = "error" "=" quoted-string
    error-desc      = "error_description" "=" quoted-string
    error-uri       = "error_uri" "=" DQUOT URI-reference DQUOT

(missing quotes around the "=", and also please avoid prose productions).

Also, you do seem to ignore I18N issues with the error_description. 
What's the encoding?

(and, as a matter of taste, I'd prefer hyphens instead of underscores in 
parameter names...).

Best regards, Julian
Received on Wednesday, 11 May 2011 07:36:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:40 GMT