Re: [OAUTH-WG] ABNF in draft 11

Wed, 24 Nov 2010 23:04:33 -0800 

Thanks James.

This is my current text. Let me know if there are more issues.

EHL

---

6.2.  The WWW-Authenticate Response Header Field

   If the protected resource request does not include authentication
   credentials, contains an invalid access token, or is malformed, the
   resource server MUST include the HTTP "WWW-Authenticate" response
   header field.  The "WWW-Authenticate" header field uses the framework
   defined by [RFC2617] as follows:


     challenge       = "OAuth2" RWS #param

     param           = scope /
                       error / error-desc / error-uri /
                       ( token "=" ( token / quoted-string ) )

     scope           = "scope" "=" <"> scope-v *( SP scope-v ) <">
     scope-v         = 1*quoted-char

     quoted-char     = ALPHA / DIGIT /
                       "!" / "#" / "$" / "%" / "&" / "'" / "(" / ")" /
                       "*" / "+" / "-" / "." / "/" / ":" / "<" / "=" /
                       ">" / "?" / "@" / "[" / "]" / "^" / "_" / "`" /
                       "{" / "|" / "}" / "~" / "\" / "," / ";"

     error           = "error" "=" quoted-string
     error-desc      = "error_description" "=" quoted-string
     error-uri       = "error_uri" = <"> URI-Reference <">


   The "scope" attribute is a space-delimited list of scope values
   indicating the required scope of the access token for accessing the
   requested resource.  The "scope" attribute MUST NOT appear more than
   once.

   If the protected resource request included an access token and failed
   authentication, the resource server SHOULD include the "error"
   attribute to provide the client with the reason why the access
   request was declined.  The parameter value is described in
   Section 6.2.1.  In addition, the resource server MAY include the
   "error_description" attribute to provide a human-readable
   explanation, and the "error-uri" attribute with an absolute URI
   identifying a human-readable web page explaining the error.  The
   "error", "error_description", and "error_uri" attribute MUST NOT
   appear more than once.

   For example, in response to a protected resource request without
   authentication:


     HTTP/1.1 401 Unauthorized
     WWW-Authenticate: OAuth2


   And in response to a protected resource request with an
   authentication attempt using an expired access token:


     HTTP/1.1 401 Unauthorized
     WWW-Authenticate: OAuth2
                       error="invalid_token",
                       error_description="The access token expired"
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to