Proper WWW-Authenticate header for OAuth provider

Question

In the OAuth 1.0 spec it is suggested to respond with the following WWW-Authenticate header:

WWW-Authenticate: OAuth realm="http://server.example.com/"

Is it suitable to add any other informative data to this header? In case a request for a protected resource fails, would it be reasonable to include some information as to why? Such as:

WWW-Authenticate: OAuth realm="http://server.example.com/", access token invalid

Or is this contrary to the purpose of the response header?

Answer 1

Sounds a little dubious to me. The WWW-Authenticate header is specified by an RFC, which would seem to forbid the example you've given. The OAuth spec says that you can include other WWW-Authenticate fields as defined by the RFC, not that you can just tack arbitrary strings onto the end of it. I would avoid it, unless there is a defined field that you could twist to your purposes.

Answer 2

Note for anyone just stumbling across this: The OAuth 2.0 bearer token spec adds "error", "error_description", and "error_uri" attributes to the "WWW-Authenticate" header for reporting additional error information, and it specifies when they should and shouldn't be used.

E.g.:

 HTTP/1.1 401 Unauthorized
 WWW-Authenticate: Bearer realm="example",
                   error="invalid_token",
                   error_description="The access token expired"

Answer 3

It's against the spec to do that, and if it wasn't it would probably be something like :

realm="http://server.example.com", oauth_error="access token invalid"

I'd recommend using the response body for things like this, or maybe a X-OAuth-Error header.