- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 11 May 2011 09:35:30 +0200
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- CC: HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
On 09.05.2011 18:49, Eran Hammer-Lahav wrote:
> ...
> The OAuth WG is seeking guidance on the following questions:
>
> 1. Should the WG define a general purpose method for returning errors with a 401 WWW-Authenticate headers, including a cross-scheme error code registry?
> ...
Not sure. Are there error conditions servers *want* to reveal, and which
also have interoperable implications for clients across authentication
schemes? That is, can they really be re-used?
If that's the case, a standalone document defining these parameters,
with an easy way for new schemes to include these params would make sense.
> ...
> [2] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04
> ...
That being said, here are a few comments about the aforementioned spec.
error = "error" "=" quoted-string
error-desc = "error_description" "=" quoted-string
error-uri = "error_uri" = <"> URI-reference <">
This probably should be
error = "error" "=" quoted-string
error-desc = "error_description" "=" quoted-string
error-uri = "error_uri" "=" DQUOT URI-reference DQUOT
(missing quotes around the "=", and also please avoid prose productions).
Also, you do seem to ignore I18N issues with the error_description.
What's the encoding?
(and, as a matter of taste, I'd prefer hyphens instead of underscores in
parameter names...).
Best regards, Julian
Received on Wednesday, 11 May 2011 07:36:06 UTC