Re: [OAUTH-WG] Standardized error responses from protected resource endpoints

Brian Campbell <bcampbell@pingidentity.com> Wed, 30 July 2014 12:24 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51F5A1A000A for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 05:24:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.579
X-Spam-Level:
X-Spam-Status: No, score=-3.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id koCCrS3_ZngT for <oauth@ietfa.amsl.com>; Wed, 30 Jul 2014 05:24:09 -0700 (PDT)
Received: from na3sys009aog118.obsmtp.com (na3sys009aog118.obsmtp.com [74.125.149.244]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8B971A0009 for <oauth@ietf.org>; Wed, 30 Jul 2014 05:24:08 -0700 (PDT)
Received: from mail-ie0-f177.google.com ([209.85.223.177]) (using TLSv1) by na3sys009aob118.postini.com ([74.125.148.12]) with SMTP ID DSNKU9jj6MgOpyS+9xEBwH2xg6hPffcs82ld@postini.com; Wed, 30 Jul 2014 05:24:08 PDT
Received: by mail-ie0-f177.google.com with SMTP id at20so1394308iec.36 for <oauth@ietf.org>; Wed, 30 Jul 2014 05:24:08 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=63k24z6ixRjBEtshkPG0bVvjzU5SjgQq4i3BEhFSQoY=; b=jWHet+Le6T2HtnrUS4IVBC86EeXJa9MJ1So/buMqv+3kckRcTBIubQ97wIzmNYum55 XxvxPZlxrOhAJ6JN9cBkO+7nd+1VA5sHqNWaWw66926WPYIDZ3AjHNDd0wNdbEkXMzO0 uRJ7epbrc9kv4wpW/rTmHO9UactoctVG5RKgL6NWgdRivJNBz39YrSHOcOnkDK3AAYHk Q7PR/OF0IQsWUwiMlgCX7kspM7bK28tJnC4Bda4Cnpec8rpKyYue74YetOWpIw2KR6Y0 tRBGKPhhBSiVUmIMF27kgVOfZE3FJNDoQ1uEIen4RYZ8LIYn5jVJjLdE8Sgfzlqt1yD3 Iowg==
X-Gm-Message-State: ALoCoQnMJErSPSKZLSSfJFryIUYzNQK4t+qRUSVdXFMi/I4jIH89oBb+XITn4C9LH7EIGaEnHDc5CoZU//9SzaJbx3MIeeHX0L4/e6kqoZeOTR9HeUiEwFVYv3ELQyuKH6Q1Cd7TCnYZ
X-Received: by 10.50.152.40 with SMTP id uv8mr54422997igb.40.1406723048100; Wed, 30 Jul 2014 05:24:08 -0700 (PDT)
X-Received: by 10.50.152.40 with SMTP id uv8mr54422979igb.40.1406723047969; Wed, 30 Jul 2014 05:24:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.233.170 with HTTP; Wed, 30 Jul 2014 05:23:37 -0700 (PDT)
In-Reply-To: <CAGpwqP8QxsUBSNPhzk2Gh_E1Y9yUUUcQaV-Esuqt7JDXNX3qUA@mail.gmail.com>
References: <CAGpwqP8QxsUBSNPhzk2Gh_E1Y9yUUUcQaV-Esuqt7JDXNX3qUA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 30 Jul 2014 06:23:37 -0600
Message-ID: <CA+k3eCQvqbo+UD+FC05iSzuY7bcKBf4BuB6n1PbPgWVZehN_Yg@mail.gmail.com>
To: Takahiko Kawasaki <daru.tk@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/C19iSW7vli0XmSzdGmoJ3jaRNYA
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Standardized error responses from protected resource endpoints
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 12:24:10 -0000

Take a look at RFC 6750 "The OAuth 2.0 Authorization Framework: Bearer
Token Usage" - particularly section 3:
http://tools.ietf.org/html/rfc6750#section-3 which describes using the
"WWW-Authenticate" response header field in response to a request with
an invalid/insufficient/missing/etc token.

On Tue, Jul 29, 2014 at 8:10 PM, Takahiko Kawasaki <daru.tk@gmail.com> wrote:
> Hello,
>
> I have a question. Is there any standardized specification about
> error responses from protected resource endpoints?
>
> "RFC 6749, 7.2. Error Response" says "the specifics of such error
> responses are beyond the scope of this specification", but I'm
> wondering if OAuth WG has done something for that.
>
> >From error responses, I'd like to know information about:
>
>   (1) Usability (active or expired? (or not exist?))
>   (2) Refreshability (associated usable refresh token exists?)
>   (3) Sufficiency (usable but lacking necessary permissions?)
>
> For example, I'm expecting an error response like below with
> "400 Bad Request" or "403 Forbidden".
>
>   {
>     "error":"...",
>     "error_description":"...",
>     "error_uri":"...",
>     "usable": true,
>     "refreshable": true,
>     "sufficient": false
>   }
>
>
> Best Regards,
> Takahiko Kawasaki
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth