[OAUTH-WG] Standardized error responses from protected resource endpoints

Takahiko Kawasaki <daru.tk@gmail.com> Wed, 30 July 2014 02:10 UTC

Return-Path: <daru.tk@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 38E771B2A52 for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 19:10:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id mchBHIJmeNj5 for <oauth@ietfa.amsl.com>; Tue, 29 Jul 2014 19:10:06 -0700 (PDT)
Received: from mail-lb0-x235.google.com (mail-lb0-x235.google.com [IPv6:2a00:1450:4010:c04::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA99A1B2A51 for <oauth@ietf.org>; Tue, 29 Jul 2014 19:10:05 -0700 (PDT)
Received: by mail-lb0-f181.google.com with SMTP id 10so366876lbg.26 for <oauth@ietf.org>; Tue, 29 Jul 2014 19:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=hTjIuGzJ/8JfG9Cx34+sJmkjbuwm4wMLu3iD1U8uDqI=; b=mi/qy2pBs6f/nEY9ud+psMySpohRck6UIRD2f5WYBI+WP4zZJg1CEkfbCwQOTj2vS4 zjsJ5v5fQHiCRxj+q7oetFYzzEybXvHZ3rMgF1qlcCgZ5n7QcOyVCobde0qEWCHqVzkH LQ2EbfbaNh4BNJhec/ppGxW+azO101xwzseZcgdBmQLxXZzdcH6L4JGl9EPd9ZytJUTN YZEbSOS9eSoPRZh4ZLkol+VSYBtlGLKoYN3wUkXFspDeUEcA/EczZFuMmSSyJvBJHOm2 l3/NZvhYnYrPexyVgcXBLpAHFZGm6adLUGFecw0LFC3Qd4PZ1i1ePfLxQTEP8vgLP1kg PFEw==
MIME-Version: 1.0
X-Received: by with SMTP id uc8mr797464lbb.70.1406686204111; Tue, 29 Jul 2014 19:10:04 -0700 (PDT)
Received: by with HTTP; Tue, 29 Jul 2014 19:10:04 -0700 (PDT)
Date: Wed, 30 Jul 2014 11:10:04 +0900
Message-ID: <CAGpwqP8QxsUBSNPhzk2Gh_E1Y9yUUUcQaV-Esuqt7JDXNX3qUA@mail.gmail.com>
From: Takahiko Kawasaki <daru.tk@gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/UTFbb9zidgDWjHaixTuVSCUmstg
Subject: [OAUTH-WG] Standardized error responses from protected resource endpoints
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jul 2014 02:10:08 -0000


I have a question. Is there any standardized specification about
error responses from protected resource endpoints?

"RFC 6749, 7.2. Error Response" says "the specifics of such error
responses are beyond the scope of this specification", but I'm
wondering if OAuth WG has done something for that.

>From error responses, I'd like to know information about:

  (1) Usability (active or expired? (or not exist?))
  (2) Refreshability (associated usable refresh token exists?)
  (3) Sufficiency (usable but lacking necessary permissions?)

For example, I'm expecting an error response like below with
"400 Bad Request" or "403 Forbidden".

    "usable": true,
    "refreshable": true,
    "sufficient": false

Best Regards,
Takahiko Kawasaki