Registration - 3.3. Client Registration Error Response example is missing schema

Issue #912 resolved
Nat Sakimura
created an issue

the example code seems to be wrong.

It states:

  HTTP/1.1 400 Bad Request
  WWW-Authenticate: error="invalid_redirect_uri",
    error_description="One or more redirect_uri values are invalid"
  Cache-Control: no-store
  Pragma: no-cache

As you can see, this is missing the required authorization schema, which in our case is "Bearer".

It should be:

  HTTP/1.1 400 Bad Request
  WWW-Authenticate: Bearer error="invalid_redirect_uri",
    error_description="One or more redirect_uri values are invalid"
  Cache-Control: no-store
  Pragma: no-cache

The same is true for the ReadError.

Comments (4)

  1. Vladimir Dzhuvinov

    Hi guys,

    The original example was wrong, but I believe the fix was incorrect:

    http://openid.bitbucket.org/openid-connect-registration-1_0.html#RegistrationError

    When a registration error condition occurs, the Client Registration Endpoint returns a HTTP 400 Bad request status code including a JSON object describing the error in the response body.

    Therefore, for a invalid_redirect_uri the error object should be put into the body, and not tweaked into the WWW-Authenticate header.

    You can also have a look at http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-14#section-5.2

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {
     "error":"invalid_redirect_uri",
     "error_description":"The redirect URI of http://sketchy.example.com is not allowed for this server."
    }
    
  2. Brian Campbell

    @Vladimir Dzhuvinov is correct here. The registration error responses should return errors using the mechanism defined in RFC 6750 only for errors related to OAuth access token. WWW-Authenticate and headers should not be overloaded to try and convey application level errors in registration.

  3. Log in to comment