Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It must be a JSON object with an error field.

What you showed is exactly that. Does the spec say the field must be a string?



As the sibling comment says: not just that it's a string, but which strings are expected.

OIDC extends the list with a few more: https://openid.net/specs/openid-connect-core-1_0.html#AuthEr...

This allows clients to interop with any server. Doing the shit Facebook is doing completely ignores one of the main objectives of implementing a RFC: interoperability.


https://www.rfc-editor.org/rfc/rfc6749#section-4.1.2.1


It's in Section 5, actually. That one is for the implicit-grant flow, so the fields are URL-encoded and appended to the redirect URI's query fragment.


Yep, from section 5:

> error

> REQUIRED. A single ASCII [USASCII] error code from the following...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: