Proper WWW-Authenticate header for OAuth provider

oauth response-headers
Jon Nylander picture Jon Nylander · Dec 1, 2011 · Viewed 17.4k times · Source

In the OAuth 1.0 spec it is suggested to respond with the following WWW-Authenticate header:

WWW-Authenticate: OAuth realm="http://server.example.com/"

Is it suitable to add any other informative data to this header? In case a request for a protected resource fails, would it be reasonable to include some information as to why? Such as:

WWW-Authenticate: OAuth realm="http://server.example.com/", access token invalid

Or is this contrary to the purpose of the response header?

Answer

jcl picture jcl · Nov 24, 2015

Note for anyone just stumbling across this: The OAuth 2.0 bearer token spec adds "error", "error_description", and "error_uri" attributes to the "WWW-Authenticate" header for reporting additional error information, and it specifies when they should and shouldn't be used.

E.g.:

 HTTP/1.1 401 Unauthorized
 WWW-Authenticate: Bearer realm="example",
                   error="invalid_token",
                   error_description="The access token expired"

Related questions

Setting Authorization Header of HttpClient

I have an HttpClient that I am using for a REST API. However I am having trouble setting up the Authorization header. I need to set the header to the token I received from doing my OAuth request. I saw …

Read More
Use Device Login on Smart TV / Console

I have noticed that Facebook seems to support Device Login with a token / PIN Code instead of user/login to be used on devices like TV or console: https://www.facebook.com/device In the search of the dev page …

Read More
Facebook OAuth "The domain of this URL isn't included in the app's domain"

Let me first start with saying I've searched for an answer to this question for quite some time... I'm trying to setup Facebook OAuth to work with my application that is being developed locally on my machine. Everything was working …

Read More