Une bonne tête WWW-Authenticate pour le fournisseur OAuth
-
26-10-2019 - |
Question
Dans le OAuth 1.0 spec il est suggéré de répondre à la suivant en-tête WWW-Authenticate:
WWW-Authenticate: OAuth realm="http://server.example.com/"
Est-il approprié d'ajouter d'autres données d'information à cet en-tête? Dans le cas d'une demande d'une ressource protégée échoue, serait-il raisonnable d'inclure des informations sur les raisons? Tels que:
WWW-Authenticate: OAuth realm="http://server.example.com/", access token invalid
Ou est-ce contraire à l'objet de l'en-tête de réponse?
La solution
Sounds a little dubious to me. The WWW-Authenticate
header is specified by an RFC, which would seem to forbid the example you've given. The OAuth spec says that you can include other WWW-Authenticate
fields as defined by the RFC, not that you can just tack arbitrary strings onto the end of it. I would avoid it, unless there is a defined field that you could twist to your purposes.
Autres conseils
Note for anyone just stumbling across this: The OAuth 2.0 bearer token spec adds "error", "error_description", and "error_uri" attributes to the "WWW-Authenticate" header for reporting additional error information, and it specifies when they should and shouldn't be used.
E.g.:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example",
error="invalid_token",
error_description="The access token expired"
It's against the spec to do that, and if it wasn't it would probably be something like :
realm="http://server.example.com", oauth_error="access token invalid"
I'd recommend using the response body for things like this, or maybe a X-OAuth-Error
header.