On May 19, 2011, at 10:52 AM, Julian Reschke wrote: > On 2011-05-19 19:47, Kris Selden wrote: >> I totally missed the error_description in the WWW-Authenticate header in the >> bearer spec. I'm not sure why the human readable error description is not >> in the response body on a 401 but I assume there is a reason. > > Dunno. > >> Is what you were proposing only apply to error_description when in HTTP >> headers? > > Yes.
That seems bad. Human readable text isn't something that should be put into an HTTP header. The MAC spec has the same problem, in section 4.1. These should be brought in line with the OAuth v2 spec, which specifies the human readable error descriptions going in the body. -Andrew _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
