In the OAuth 1.0 spec it is suggested to respond with the following WWW-Authenticate header:
WWW-Authenticate: OAuth realm="http://server.example.com/"
Is it suitable to add any other informative data to this header? In case a request for a protected resource fails, would it be reasonable to include some information as to why? Such as:
WWW-Authenticate: OAuth realm="http://server.example.com/", access token invalid
Or is this contrary to the purpose of the response header?
Note for anyone just stumbling across this: The OAuth 2.0 bearer token spec adds "error", "error_description", and "error_uri" attributes to the "WWW-Authenticate" header for reporting additional error information, and it specifies when they should and shouldn't be used.
E.g.:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example",
error="invalid_token",
error_description="The access token expired"