- changed status to resolved
Registration - 3.3. Client Registration Error Response example is missing schema
the example code seems to be wrong.
It states:
HTTP/1.1 400 Bad Request
WWW-Authenticate: error="invalid_redirect_uri",
error_description="One or more redirect_uri values are invalid"
Cache-Control: no-store
Pragma: no-cache
As you can see, this is missing the required authorization schema, which in our case is "Bearer".
It should be:
HTTP/1.1 400 Bad Request
WWW-Authenticate: Bearer error="invalid_redirect_uri",
error_description="One or more redirect_uri values are invalid"
Cache-Control: no-store
Pragma: no-cache
The same is true for the ReadError.
Comments (4)
-
-
Hi guys,
The original example was wrong, but I believe the fix was incorrect:
http://openid.bitbucket.org/openid-connect-registration-1_0.html#RegistrationError
When a registration error condition occurs, the Client Registration Endpoint returns a HTTP 400 Bad request status code including a JSON object describing the error in the response body.
Therefore, for a invalid_redirect_uri the error object should be put into the body, and not tweaked into the WWW-Authenticate header.
You can also have a look at http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-14#section-5.2
HTTP/1.1 400 Bad Request Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "error":"invalid_redirect_uri", "error_description":"The redirect URI of http://sketchy.example.com is not allowed for this server." }
-
@vdzhuvinov is correct here. The registration error responses should return errors using the mechanism defined in RFC 6750 only for errors related to OAuth access token. WWW-Authenticate and headers should not be overloaded to try and convey application level errors in registration.
-
Fixed
#912- Correct registration error example to return error in JSON body→ <<cset b1162b380763>>
- Log in to comment
Fixed
#912- Added missing "Bearer" authorization scheme to the WWW-Authenticate responses. Use defined term Grant Type.→ <<cset f184a243ed15>>