0

I use OAuth 2 in a REST API and I my API returns a 401 error, if my access token is invalid. My 401 response isn't meaningful right now and I wonder if I could place my authentication URI in my response? Something like

{
  "error": 401,
  "authentication_uri": "https://example.com/login?client_id=123&response_type=token&redirect_uri=http://example.com/app/"
}

Can I do that? Is this secure? (It seems that all these params are exposed in the URL anyway...) Are there other common methods to get a meaningful response from 401? I couldn't find something useful about this topic.

Pipo
  • 5,623
  • 7
  • 36
  • 46
  • Well... why are you using an authentication URI and not the Authorization header? A 401 response must return the WWW-Authenticate header with the authentication scheme to be used. It looks like you're reinventing the wheel twice. – Pedro Werneck Jun 10 '14 at 17:59
  • Well, I have this conversation a lot lately (see here: http://stackoverflow.com/questions/24039340/why-is-the-http-location-header-only-set-for-post-requests-201-created-respons). I personally would love to use just HTTP header for all links, but it seems I need links in my JSON response sooner or later, so I would do both to be consistent (HTTP headers where it makes sense and always links in the JSON response). Many new specs seem to favor this, too. – Pipo Jun 10 '14 at 18:40
  • I just saw that you was the one, who replied to me at the other link, too :) – Pipo Jun 10 '14 at 18:55

2 Answers2

1

I am not a security expert, but I don't see a problem with doing this. I'm not aware of any value in hiding how to authenticate, and I don't see you exposing anything that they don't already have (assuming client_id and redirect_uri were in the original request).

Eric Stein
  • 13,209
  • 3
  • 37
  • 52
  • client_id and redirect_uri wouldn't be in the initial request. Maybe the initial request was https://api.example.com/users/1 and then I get a 401. I think this would be beneficial if the authentication_uri changes (maybe because I use a debug version for my api - so I just need the base url for the API and I don't need to know my authentication url beforehand). – Pipo Jun 10 '14 at 14:10
0

To answer my own question: While it is certainly possible to do this and has benefits as you don't need to know the authentication URI beforehand, it has some pitfalls.

Say you develop multiple apps separately at http://localhost and you want to communicate the same REST API. The REST API can't deduce your client_id just from your Referer or Origin header field as it is always http://localhost. You could develop "App 1" or "App 2" and each has a different client_id. Therefor you would need to support URI templates. E.g.:

{
  "error": 401,
  "authentication_uri": "https://example.com/login?redirect_uri=http://localhost&response_type=token{&client_id}"
}

See here for more examples about URI templates.

Community
  • 1
  • 1
Pipo
  • 5,623
  • 7
  • 36
  • 46