The correct WWW-Authenticate header for the OAuth provider

Question

The correct WWW-Authenticate header for the OAuth provider

In the OAuth 1.0 spec, it is proposed to respond with the following WWW-Authenticate header:

WWW-Authenticate: OAuth realm="http://server.example.com/"

Can I add any other information to this heading? If the request for a secure resource fails, it would be wise to include some information about why? For example:

 WWW-Authenticate: OAuth realm="http://server.example.com/", access token invalid

Or is this contrary to the purpose of the response header?

+7

oauth

Jon nylander Dec 01 '11 at 12:57

source share

3 answers

Note that someone just stumbles about this: OAuth 2.0 Token Token Token appends the attributes "error", "error_description" and "error_uri" to "WWW-Authenticate" to report additional error information, and it indicates when they should and should not be used.

eg:.

  HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="example", error="invalid_token", error_description="The access token expired"

+14

jcl Nov 24 '15 at 20:11

source share

It is against the spec to do this, and if it weren’t, it would probably be something like:

 realm="http://server.example.com", oauth_error="access token invalid"

I would recommend using the response body for such things, or perhaps the X-OAuth-Error header.

+7

Tom van der woerdt Dec 01 '11 at 13:03

source share

Gian · Accepted Answer · 2011-12-01T13:03:41+0000

Sounds a little dubious to me. The WWW-Authenticate header is specified by the RFC , which appears to prohibit the example you provided. The OAuth specification says that you can include other WWW-Authenticate fields as defined by the RFC, and not that you can just put arbitrary strings at the end. I would avoid this if there is no specific field that you could twist for your own purposes.

The correct WWW-Authenticate header for the OAuth provider

More articles: