Re: BCP for returning HTTP Authentication (2617) Error Status (questions from the OAuth WG)

On 09.05.2011 18:49, Eran Hammer-Lahav wrote:
> ...
> The OAuth WG is seeking guidance on the following questions:
> 1. Should the WG define a general purpose method for returning errors with a 401 WWW-Authenticate headers, including a cross-scheme error code registry?
> ...

Not sure. Are there error conditions servers *want* to reveal, and which 
also have interoperable implications for clients across authentication 
schemes? That is, can they really be re-used?

If that's the case, a standalone document defining these parameters, 
with an easy way for new schemes to include these params would make sense.

> ...
> [2]
> ...

That being said, here are a few comments about the aforementioned spec.

    error           = "error" "=" quoted-string
    error-desc      = "error_description" "=" quoted-string
    error-uri       = "error_uri" = <"> URI-reference <">

This probably should be

    error           = "error" "=" quoted-string
    error-desc      = "error_description" "=" quoted-string
    error-uri       = "error_uri" "=" DQUOT URI-reference DQUOT

(missing quotes around the "=", and also please avoid prose productions).

Also, you do seem to ignore I18N issues with the error_description. 
What's the encoding?

(and, as a matter of taste, I'd prefer hyphens instead of underscores in 
parameter names...).

Best regards, Julian

Received on Wednesday, 11 May 2011 07:36:06 UTC