I totally missed the error_description in the WWW-Authenticate header in the bearer spec. I'm not sure why the human readable error description is not in the response body on a 401 but I assume there is a reason.
Is what you were proposing only apply to error_description when in HTTP headers? Eran, are you looking for a solution to apply to error_description wherever it appears? In the oauth spec it appears in a url query string, a url fragment, and the json response body and in the bearer and mac spec it appears in a http header. If it is possible for general guidance, I would start at the most limited case, the url fragment which is intended to be parsed by a client side script. Javascript cannot percent decode into a string anything other than UTF-8. On May 19, 2011, at 2:55 AM, Julian Reschke wrote: > On 2011-05-19 11:14, Kris Selden wrote: >>> Well, like it or not, the default for HTTP header fields is not UTF-8. >> >> Encoding in HTTP header fields is not the topic, error_description is >> already encoded into a URI before it is in the Location field. >> >> There are 3 spots where error_description appears: >> http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4.1.2.1 >> http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-4.2.2.1 >> http://tools.ietf.org/html/draft-ietf-oauth-v2-16#section-5.2 >> >> In section 4.1.2.1 and 4.2.2.1 the issue is about character encoding before >> application/x-www-form-urlencoded encoding (after that it is ASCII only). In >> section 4.2.2.1, the parameter is encoded in the fragment component which is >> only visible on the client side, and likely to be read by a script in >> Javascript (which is unicode only). >> >> In section 5.2 the response type is JSON which already deals with character >> encoding (http://tools.ietf.org/html/rfc4627#section-3) and is Unicode only. >> So there isn't anything to solve for error_description in section 5.2, >> except maybe to reference section 3 of rfc4627. >> ... > > My comments applied to the proposal of returning error_description in the > WWW-Authenticate header field (see > <http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-04#section-2.4.1>). > > Best regards, Julian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
