draft-ietf-appsawg-http-problem-03.txt   draft-ietf-appsawg-http-problem-latest.txt 
Network Working Group M. Nottingham Network Working Group M. Nottingham
Internet-Draft Akamai Internet-Draft Akamai
Intended status: Standards Track E. Wilde Intended status: Standards Track E. Wilde
Expires: July 29, 2016 January 26, 2016 Expires: October 8, 2017 April 6, 2017
Problem Details for HTTP APIs Problem Details for HTTP APIs
draft-ietf-appsawg-http-problem-03 draft-ietf-appsawg-http-problem-03
Abstract Abstract
This document defines a "problem detail" as a way to carry machine- This document defines a "problem detail" as a way to carry machine-
readable details of errors in a HTTP response, to avoid the need to readable details of errors in a HTTP response to avoid the need to
define new error response formats for HTTP APIs. define new error response formats for HTTP APIs.
Note to Readers Note to Readers
This draft should be discussed on the apps-discuss mailing list [1]. This draft should be discussed on the apps-discuss mailing list [1].
This section is to be removed before publication. This section is to be removed before publication.
Note to RFC Editor Note to RFC Editor
Please replace all occurrences of "XXXX" with the final RFC number Please replace all occurrences of "XXXX" with the final RFC number
chosen for this draft. chosen for this draft.
This section is to be removed before publication. This section is to be removed before publication.
Status of this Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 29, 2016. This Internet-Draft will expire on October 8, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The Problem Details JSON Object . . . . . . . . . . . . . . . 4 3. The Problem Details JSON Object . . . . . . . . . . . . . . . 4
3.1. Problem Details Object Members . . . . . . . . . . . . . . 5 3.1. Members of a Problem Details Object . . . . . . . . . . . 5
3.2. Extension Members . . . . . . . . . . . . . . . . . . . . 6 3.2. Extension Members . . . . . . . . . . . . . . . . . . . . 6
4. Defining New Problem Types . . . . . . . . . . . . . . . . . . 7 4. Defining New Problem Types . . . . . . . . . . . . . . . . . 7
4.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.2. Pre-Defined Problem Types . . . . . . . . . . . . . . . . 8 4.2. Predefined Problem Types . . . . . . . . . . . . . . . . 8
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10 6.1. application/problem+json . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 11 6.2. application/problem+xml . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
8.2. Informative References . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11
Appendix A. HTTP Problems and XML . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix B. Using Problem Details with Other Formats . . . . . . 14 Appendix A. HTTP Problems and XML . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Appendix B. Using Problem Details with Other Formats . . . . . . 15
Appendix C. Acknowledgements . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
HTTP [RFC7230] status codes are sometimes not sufficient to convey HTTP [RFC7230] status codes are sometimes not sufficient to convey
enough information about an error to be helpful. While humans behind enough information about an error to be helpful. While humans behind
Web browsers can be informed about the nature of the problem with an Web browsers can be informed about the nature of the problem with an
HTML [W3C.REC-html5-20141028] response body, non-human consumers of HTML [W3C.REC-html5-20141028] response body, non-human consumers of
so-called "HTTP APIs" are usually not. so-called "HTTP APIs" are usually not.
This specification defines simple JSON [RFC7159] and XML This specification defines simple JSON [RFC7159] and XML
skipping to change at page 3, line 25 skipping to change at page 3, line 14
are designed to be reused by HTTP APIs, which can identify distinct are designed to be reused by HTTP APIs, which can identify distinct
"problem types" specific to their needs. "problem types" specific to their needs.
Thus, API clients can be informed of both the high-level error class Thus, API clients can be informed of both the high-level error class
(using the status code) and the finer-grained details of the problem (using the status code) and the finer-grained details of the problem
(using one of these formats). (using one of these formats).
For example, consider a response that indicates that the client's For example, consider a response that indicates that the client's
account doesn't have enough credit. The 403 Forbidden status code account doesn't have enough credit. The 403 Forbidden status code
might be deemed most appropriate to use, as it will inform HTTP- might be deemed most appropriate to use, as it will inform HTTP-
generic software (such as client libraries, caches and proxies) of generic software (such as client libraries, caches, and proxies) of
the general semantics of the response. the general semantics of the response.
However, that doesn't give the API client enough information about However, that doesn't give the API client enough information about
why the request was forbidden, the applicable account balance, or how why the request was forbidden, the applicable account balance, or how
to correct the problem. If these details are included in the to correct the problem. If these details are included in the
response body in a machine-readable format, the client can treat it response body in a machine-readable format, the client can treat it
appropriately; for example, triggering a transfer of more credit into appropriately; for example, triggering a transfer of more credit into
the account. the account.
This specification does this by identifying a specific type of This specification does this by identifying a specific type of
problem (e.g., "out of credit") with a URI [RFC3986]; HTTP APIs can problem (e.g., "out of credit") with a URI [RFC3986]; HTTP APIs can
do this by nominating new URIs under their control, or by reusing do this by nominating new URIs under their control, or by reusing
existing ones. existing ones.
Additionally, problems can contain other information, such as a URI Additionally, problem details can contain other information, such as
that identifies the specific occurrence of the problem (effectively a URI that identifies the specific occurrence of the problem
giving an identifier to the concept "The time Joe didn't have enough (effectively giving an identifier to the concept "The time Joe didn't
credit last Thursday"), which can be useful for support or forensic have enough credit last Thursday"), which can be useful for support
purposes. or forensic purposes.
The data model for problem details is a JSON [RFC7159] object; when The data model for problem details is a JSON [RFC7159] object; when
formatted as a JSON document, it uses the "application/problem+json" formatted as a JSON document, it uses the "application/problem+json"
media type. Appendix A defines how to express them in an equivalent media type. Appendix A defines how to express them in an equivalent
XML format, which uses the "application/problem+xml" media type. XML format, which uses the "application/problem+xml" media type.
Note that problem details are (naturally) not the only way to convey Note that problem details are (naturally) not the only way to convey
the details of a problem in HTTP; if the response is still a the details of a problem in HTTP; if the response is still a
representation of a resource, for example, it's often preferable to representation of a resource, for example, it's often preferable to
accommodate describing the relevant details in that application's accommodate describing the relevant details in that application's
format. Likewise, in many situations, there is an appropriate HTTP format. Likewise, in many situations, there is an appropriate HTTP
status code that does not require extra detail to be conveyed. status code that does not require extra detail to be conveyed.
Instead, the aim of this specification is to define common error Instead, the aim of this specification is to define common error
formats for those applications that need one, so that they aren't formats for those applications that need one, so that they aren't
required to define their own, or worse, tempted to re-define the required to define their own, or worse, tempted to redefine the
semantics of existing HTTP status codes. Even if an application semantics of existing HTTP status codes. Even if an application
chooses not to use it to convey errors, reviewing its design can help chooses not to use it to convey errors, reviewing its design can help
guide the design decisions faced when conveying errors in an existing guide the design decisions faced when conveying errors in an existing
format. format.
2. Requirements 2. Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. The Problem Details JSON Object 3. The Problem Details JSON Object
The canonical model for problem details is a JSON [RFC7159] object. The canonical model for problem details is a JSON [RFC7159] object.
When serialised as a JSON document, that format is identified with When serialized as a JSON document, that format is identified with
the "application/problem+json" media type. the "application/problem+json" media type.
For example, a HTTP response carrying JSON problem details: For example, an HTTP response carrying JSON problem details:
HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden
Content-Type: application/problem+json Content-Type: application/problem+json
Content-Language: en Content-Language: en
{ {
"type": "https://example.com/probs/out-of-credit", "type": "https://example.com/probs/out-of-credit",
"title": "You do not have enough credit.", "title": "You do not have enough credit.",
"detail": "Your current balance is 30, but that costs 50.", "detail": "Your current balance is 30, but that costs 50.",
"instance": "/account/12345/msgs/abc", "instance": "/account/12345/msgs/abc",
skipping to change at page 5, line 27 skipping to change at page 5, line 22
"invalid-params": [ { "invalid-params": [ {
"name": "age", "name": "age",
"reason": "must be a positive integer" "reason": "must be a positive integer"
}, },
{ {
"name": "color", "name": "color",
"reason": "must be 'green', 'red' or 'blue'"} "reason": "must be 'green', 'red' or 'blue'"}
] ]
} }
Note that this requires each of the sub-problems to be similar enough Note that this requires each of the subproblems to be similar enough
to use the same HTTP status code. If they do not, the 207 (Multi- to use the same HTTP status code. If they do not, the 207 (Multi-
Status) [RFC4918] code could be used to encapsulate multiple status Status) [RFC4918] code could be used to encapsulate multiple status
messages. messages.
3.1. Problem Details Object Members 3.1. Members of a Problem Details Object
A problem details object can have the following members: A problem details object can have the following members:
o "type" (string) - A URI reference [RFC3986] that identifies the o "type" (string) - A URI reference [RFC3986] that identifies the
problem type. When dereferenced, it is encouraged to provide problem type. This specification encourages that, when
human-readable documentation for the problem type (e.g., using dereferenced, it provide human-readable documentation for the
HTML [W3C.REC-html5-20141028]). When this member is not present, problem type (e.g., using HTML [W3C.REC-html5-20141028]). When
its value is assumed to be "about:blank". this member is not present, its value is assumed to be
"about:blank".
o "title" (string) - A short, human-readable summary of the problem o "title" (string) - A short, human-readable summary of the problem
type. It SHOULD NOT change from occurrence to occurrence of the type. It SHOULD NOT change from occurrence to occurrence of the
problem, except for purposes of localisation (e.g., using problem, except for purposes of localization (e.g., using
proactive content negotiation; see [RFC7231], Section 3.4). proactive content negotiation; see [RFC7231], Section 3.4).
o "status" (number) - The HTTP status code ([RFC7231], Section 6) o "status" (number) - The HTTP status code ([RFC7231], Section 6)
generated by the origin server for this occurrence of the problem. generated by the origin server for this occurrence of the problem.
o "detail" (string) - An human readable explanation specific to this
o "detail" (string) - A human-readable explanation specific to this
occurrence of the problem. occurrence of the problem.
o "instance" (string) - A URI reference that identifies the specific o "instance" (string) - A URI reference that identifies the specific
occurrence of the problem. It may or may not yield further occurrence of the problem. It may or may not yield further
information if dereferenced. information if dereferenced.
Consumers MUST use the type string as the primary identifier for the Consumers MUST use the "type" string as the primary identifier for
problem type; the title string is advisory, and included only for the problem type; the "title" string is advisory and included only
users who are not aware of the semantics of the URI, and don't have for users who are not aware of the semantics of the URI and do not
the ability to discover them (e.g., offline log analysis). Consumers have the ability to discover them (e.g., offline log analysis).
SHOULD NOT automatically dereference the type URI. Consumers SHOULD NOT automatically dereference the type URI.
The status member, if present, is only advisory; it conveys the HTTP The "status" member, if present, is only advisory; it conveys the
status code used for the convenience of the consumer. Generators HTTP status code used for the convenience of the consumer.
MUST use the same status code in the actual HTTP response, to assure Generators MUST use the same status code in the actual HTTP response,
that generic HTTP software that does not understand this format still to assure that generic HTTP software that does not understand this
behaves correctly. See Section 5 for further caveats regarding its format still behaves correctly. See Section 5 for further caveats
use. regarding its use.
Consumers can use the status member to determine what the original Consumers can use the status member to determine what the original
status code used by the generator was, in cases where it has been status code used by the generator was, in cases where it has been
changed (e.g., by an intermediary or cache), and when message bodies changed (e.g., by an intermediary or cache), and when message bodies
are persisted without HTTP information. Generic HTTP software will persist without HTTP information. Generic HTTP software will still
still use the HTTP status code. use the HTTP status code.
The detail member, if present, ought to focus on helping the client The "detail" member, if present, ought to focus on helping the client
correct the problem, rather than giving debugging information. correct the problem, rather than giving debugging information.
Consumers SHOULD NOT parse the detail member for information; Consumers SHOULD NOT parse the "detail" member for information;
extensions are more suitable and less error-prone ways to obtain such extensions are more suitable and less error-prone ways to obtain such
information. information.
Note that both "type" and "instance" accept relative URIs; this means Note that both "type" and "instance" accept relative URIs; this means
that they must be resolved relative to the document's base URI, as that they must be resolved relative to the document's base URI, as
per [RFC3986], Section 5. per [RFC3986], Section 5.
3.2. Extension Members 3.2. Extension Members
Problem type definitions MAY extend the problem details object with Problem type definitions MAY extend the problem details object with
additional members. additional members.
For example, our "out of credit" problem above defines two such For example, our "out of credit" problem above defines two such
extensions, "balance" and "accounts" to convey additional, problem- extensions -- "balance" and "accounts" to convey additional, problem-
specific information. specific information.
Clients consuming problem details MUST ignore any such extensions Clients consuming problem details MUST ignore any such extensions
that they don't recognise; this allows problem types to evolve and that they don't recognize; this allows problem types to evolve and
include additional information in the future. include additional information in the future.
Note that because extensions are effectively name spaced by the Note that because extensions are effectively put into a namespace by
problem type, it is not possible to define new "standard" members the problem type, it is not possible to define new "standard" members
without defining a new media type. without defining a new media type.
4. Defining New Problem Types 4. Defining New Problem Types
When an HTTP API needs to define a response that indicates an error When an HTTP API needs to define a response that indicates an error
condition, it might be appropriate to do so by defining a new problem condition, it might be appropriate to do so by defining a new problem
type. type.
Before doing so, it's important to understand what they are good for, Before doing so, it's important to understand what they are good for,
and what's better left to other mechanisms. and what's better left to other mechanisms.
Problem details are not a debugging tool for the underlying Problem details are not a debugging tool for the underlying
implementation; rather, they are a way to expose greater detail about implementation; rather, they are a way to expose greater detail about
the HTTP interface itself. Designers of new problem types need to the HTTP interface itself. Designers of new problem types need to
carefully consider the Security Considerations (Section 5); in carefully consider the Security Considerations (Section 5), in
particular the risk of exposing attack vectors by exposing particular, the risk of exposing attack vectors by exposing
implementation internals through error messages. implementation internals through error messages.
Likewise, truly generic problems - i.e., conditions that could Likewise, truly generic problems -- i.e., conditions that could
potentially apply to any resource on the Web - are usually better potentially apply to any resource on the Web -- are usually better
expressed as plain status codes. For example, a "write access expressed as plain status codes. For example, a "write access
disallowed" problem is probably unnecessary, since a 403 Forbidden disallowed" problem is probably unnecessary, since a 403 Forbidden
status code in response to a PUT request is self-explanatory. status code in response to a PUT request is self-explanatory.
Finally, an application might have a more appropriate way to carry an Finally, an application might have a more appropriate way to carry an
error in a format that it already defines. Problem details are error in a format that it already defines. Problem details are
intended to avoid the necessity of establishing new "fault" or intended to avoid the necessity of establishing new "fault" or
"error" document formats, not to replace existing domain-specific "error" document formats, not to replace existing domain-specific
formats. formats.
That said, it is possible to add support for problem details to That said, it is possible to add support for problem details to
existing HTTP APIs using HTTP content negotiation (e.g., using the existing HTTP APIs using HTTP content negotiation (e.g., using the
Accept request header to indicate a preference for this format; see Accept request header to indicate a preference for this format; see
[RFC7231], Section 5.3.2). [RFC7231], Section 5.3.2).
New problem type definitions MUST document: New problem type definitions MUST document:
1. A type URI (typically, with the "http" or "https" scheme),
2. A title that appropriately describes it (think short), and 1. a type URI (typically, with the "http" or "https" scheme),
3. The HTTP status code for it to be used with.
2. a title that appropriately describes it (think short), and
3. the HTTP status code for it to be used with.
Problem type definitions MAY specify the use of the Retry-After Problem type definitions MAY specify the use of the Retry-After
response header ([RFC7231], Section 7.1.3) in appropriate response header ([RFC7231], Section 7.1.3) in appropriate
circumstances. circumstances.
A problem's type URI SHOULD resolve to HTML [W3C.REC-html5-20141028] A problem's type URI SHOULD resolve to HTML [W3C.REC-html5-20141028]
documentation that explains how to resolve the problem. documentation that explains how to resolve the problem.
A problem type definition MAY specify additional members on the A problem type definition MAY specify additional members on the
Problem Details object. For example, an extension might use typed problem details object. For example, an extension might use typed
links [RFC5988] to another resource that can be used by machines to links [RFC5988] to another resource that can be used by machines to
resolve the problem. resolve the problem.
If such additional members are defined, their names SHOULD start with If such additional members are defined, their names SHOULD start with
a letter (ALPHA, as per [RFC5234], Appendix B.1) and SHOULD consist a letter (ALPHA, as per [RFC5234], Appendix B.1) and SHOULD consist
of characters from ALPHA, DIGIT (Ibid.), and "_" (so that it can be of characters from ALPHA, DIGIT ([RFC5234], Appendix B.1), and "_"
serialized in formats other than JSON), and SHOULD be three (so that it can be serialized in formats other than JSON), and they
characters or longer. SHOULD be three characters or longer.
4.1. Example 4.1. Example
For example, if you are publishing an HTTP API to your online For example, if you are publishing an HTTP API to your online
shopping cart, you might need to indicate that the user is out of shopping cart, you might need to indicate that the user is out of
credit (our example from above), and therefore cannot make the credit (our example from above), and therefore cannot make the
purchase. purchase.
If you already have an application-specific format that can If you already have an application-specific format that can
accommodate this information, it's probably best to do that. accommodate this information, it's probably best to do that.
However, if you don't, you might consider using one of the problem However, if you don't, you might consider using one of the problem
details formats; JSON if your API is JSON-based, or XML if it uses details formats -- JSON if your API is JSON-based, or XML if it uses
that format. that format.
To do so, you might look for an already-defined type URI that suits To do so, you might look for an already-defined type URI that suits
your purposes. If one is available, you can reuse that URI. your purposes. If one is available, you can reuse that URI.
If one isn't available, you could mint and document a new type URI If one isn't available, you could mint and document a new type URI
(which ought to be under your control and stable over time), an (which ought to be under your control and stable over time), an
appropriate title and the HTTP status code that it will be used with, appropriate title and the HTTP status code that it will be used with,
along with what it means and how it should be handled. along with what it means and how it should be handled.
In summary: an instance URI will always identify a specific In summary: an instance URI will always identify a specific
occurrence of a problem. On the other hand, type URIs can be reused occurrence of a problem. On the other hand, type URIs can be reused
if an appropriate description of a problem type is already available if an appropriate description of a problem type is already available
someplace else, or they can be created for new problem types. someplace else, or they can be created for new problem types.
4.2. Pre-Defined Problem Types 4.2. Predefined Problem Types
This specification reserves the use of one URI as a problem type: This specification reserves the use of one URI as a problem type:
The "about:blank" URI [RFC6694], when used as a problem type, The "about:blank" URI [RFC6694], when used as a problem type,
indicates that the problem has no additional semantics beyond that of indicates that the problem has no additional semantics beyond that of
the HTTP status code. the HTTP status code.
When "about:blank" is used, the title SHOULD be the same as the When "about:blank" is used, the title SHOULD be the same as the
recommended HTTP status phrase for that code (e.g., "Not Found" for recommended HTTP status phrase for that code (e.g., "Not Found" for
404, and so on), although it MAY be localized to suit client 404, and so on), although it MAY be localized to suit client
preferences (expressed with the Accept-Language request header). preferences (expressed with the Accept-Language request header).
Please note that according to how the "type" member is defined Please note that according to how the "type" member is defined
(Section 3.1), the "about:blank" URI is the default value for that (Section 3.1), the "about:blank" URI is the default value for that
member. Consequently, any problem details object not carrying an member. Consequently, any problem details object not carrying an
explicit "type" member implicitly uses this URI. explicit "type" member implicitly uses this URI.
5. Security Considerations 5. Security Considerations
When defining a new problem type, the information included must be When defining a new problem type, the information included must be
carefully vetted. Likewise, when actually generating a problem - carefully vetted. Likewise, when actually generating a problem --
however it is serialized - the details given must also be however it is serialized -- the details given must also be
scrutinized. scrutinized.
Risks include leaking information that can be exploited to compromise Risks include leaking information that can be exploited to compromise
the system, access to the system, or the privacy of users of the the system, access to the system, or the privacy of users of the
system. system.
Generators providing links to occurrence information are encouraged Generators providing links to occurrence information are encouraged
to avoid making implementation details such as a stack dump available to avoid making implementation details such as a stack dump available
through the HTTP interface, since this can expose sensitive details through the HTTP interface, since this can expose sensitive details
of the server implementation, its data, and so on. of the server implementation, its data, and so on.
The "status" member duplicates the information available in the HTTP The "status" member duplicates the information available in the HTTP
status code itself, thereby bringing the possibility of disagreement status code itself, thereby bringing the possibility of disagreement
between the two. Their relative precedence is not clear, since a between the two. Their relative precedence is not clear, since a
disagreement might indicate that (for example) an intermediary has disagreement might indicate that (for example) an intermediary has
modified the HTTP status code in transit (e.g., by a proxy or cache). modified the HTTP status code in transit (e.g., by a proxy or cache).
As such, those defining problem types as well as generators and As such, those defining problem types as well as generators and
consumers of problems need to be aware that generic software (such as consumers of problems need to be aware that generic software (such as
proxies, load balancers, firewalls, virus scanners) are unlikely to proxies, load balancers, firewalls, and virus scanners) are unlikely
know of or respect the status code conveyed in this member. to know of or respect the status code conveyed in this member.
6. IANA Considerations 6. IANA Considerations
This specification defines two new Internet media types [RFC6838]: This specification defines two new Internet media types [RFC6838].
6.1. application/problem+json
Type name: application Type name: application
Subtype name: problem+json Subtype name: problem+json
Required parameters: None Required parameters: None
Optional parameters: None; unrecognised parameters should be ignored
Optional parameters: None; unrecognized parameters should be ignored
Encoding considerations: Same as [RFC7159] Encoding considerations: Same as [RFC7159]
Security considerations: see Section 5 of this document Security considerations: see Section 5 of this document
Interoperability considerations: None Interoperability considerations: None
Published specification: [this document]
Published specification: RFC 7807 (this document)
Applications that use this media type: HTTP Applications that use this media type: HTTP
Fragment identifier considerations: Same as for application/json Fragment identifier considerations: Same as for application/json
([RFC7159]) ([RFC7159])
Additional information: Additional information:
Deprecated alias names for this type: n/a Deprecated alias names for this type: n/a
Magic number(s): n/a Magic number(s): n/a
File extension(s): n/a File extension(s): n/a
Macintosh file type code(s): n/a Macintosh file type code(s): n/a
Person and email address to contact for further information: Mark
Nottingham <mnot@mnot.net> Person and email address to contact for further information: Mark No
ttingham <mnot@mnot.net>
Intended usage: COMMON Intended usage: COMMON
Restrictions on usage: None. Restrictions on usage: None.
Author: Mark Nottingham <mnot@mnot.net> Author: Mark Nottingham <mnot@mnot.net>
Change controller: IESG Change controller: IESG
6.2. application/problem+xml
Type name: application Type name: application
Subtype name: problem+xml Subtype name: problem+xml
Required parameters: None Required parameters: None
Optional parameters: None; unrecognised parameters should be ignored
Optional parameters: None; unrecognized parameters should be ignored
Encoding considerations: Same as [RFC7303] Encoding considerations: Same as [RFC7303]
Security considerations: see Section 5 of this document Security considerations: see Section 5 of this document
Interoperability considerations: None Interoperability considerations: None
Published specification: [this document]
Published specification: RFC 7807 (this document)
Applications that use this media type: HTTP Applications that use this media type: HTTP
Fragment identifier considerations: Same as for application/xml (as Fragment identifier considerations: Same as for application/xml (as
specified by Section 5 of [RFC7303]) specified by Section 5 of [RFC7303])
Additional information: Additional information:
Deprecated alias names for this type: n/a Deprecated alias names for this type: n/a
Magic number(s): n/a Magic number(s): n/a
File extension(s): n/a File extension(s): n/a
Macintosh file type code(s): n/a Macintosh file type code(s): n/a
Person and email address to contact for further information: Mark
Nottingham <mnot@mnot.net> Person and email address to contact for further information: Mark No
ttingham <mnot@mnot.net>
Intended usage: COMMON Intended usage: COMMON
Restrictions on usage: None. Restrictions on usage: None.
Author: Mark Nottingham <mnot@mnot.net> Author: Mark Nottingham <mnot@mnot.net>
Change controller: IESG
7. Acknowledgements Change controller: IESG
The authors would like to thank Jan Algermissen, Mike Amundsen, Subbu 7. References
Allamaraju, Roy Fielding, Eran Hammer, Sam Johnston, Mike McCall,
Julian Reschke, and James Snell for review of this specification.
8. References 7.1. Normative References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119,
RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<http://www.rfc-editor.org/info/rfc3986>. <http://www.rfc-editor.org/info/rfc3986>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, DOI 10.17487/ Specifications: ABNF", STD 68, RFC 5234,
RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>. <http://www.rfc-editor.org/info/rfc5234>.
[RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", RFC 7159, DOI 10.17487/RFC7159, Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March
March 2014, <http://www.rfc-editor.org/info/rfc7159>. 2014, <http://www.rfc-editor.org/info/rfc7159>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing", Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014, RFC 7230, DOI 10.17487/RFC7230, June 2014,
<http://www.rfc-editor.org/info/rfc7230>. <http://www.rfc-editor.org/info/rfc7230>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231, Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014, DOI 10.17487/RFC7231, June 2014,
<http://www.rfc-editor.org/info/rfc7231>. <http://www.rfc-editor.org/info/rfc7231>.
[W3C.REC-xml-20081126] [W3C.REC-xml-20081126]
Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and
F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth
Edition)", World Wide Web Consortium Recommendation REC- Edition)", W3C Recommendation REC-xml-20081126, November
xml-20081126, November 2008, 2008, <http://www.w3.org/TR/2008/REC-xml-20081126>.
<http://www.w3.org/TR/2008/REC-xml-20081126>.
8.2. Informative References 7.2. Informative References
[ISO-19757-2] [ISO-19757-2]
International Organization for Standardization, International Organization for Standardization,
"Information Technology --- Document Schema Definition "Information Technology --- Document Schema Definition
Languages (DSDL) --- Part 2: Grammar-based Validation --- Languages (DSDL) --- Part 2: Grammar-based Validation ---
RELAX NG", ISO/IEC 19757-2, 2003. RELAX NG", ISO/IEC 19757-2, 2003.
[RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed
Authoring and Versioning (WebDAV)", RFC 4918, Authoring and Versioning (WebDAV)", RFC 4918,
DOI 10.17487/RFC4918, June 2007, DOI 10.17487/RFC4918, June 2007,
<http://www.rfc-editor.org/info/rfc4918>. <http://www.rfc-editor.org/info/rfc4918>.
[RFC5988] Nottingham, M., "Web Linking", RFC 5988, DOI 10.17487/ [RFC5988] Nottingham, M., "Web Linking", RFC 5988,
RFC5988, October 2010, DOI 10.17487/RFC5988, October 2010,
<http://www.rfc-editor.org/info/rfc5988>. <http://www.rfc-editor.org/info/rfc5988>.
[RFC6694] Moonesamy, S., Ed., "The "about" URI Scheme", RFC 6694, [RFC6694] Moonesamy, S., Ed., "The "about" URI Scheme", RFC 6694,
DOI 10.17487/RFC6694, August 2012, DOI 10.17487/RFC6694, August 2012,
<http://www.rfc-editor.org/info/rfc6694>. <http://www.rfc-editor.org/info/rfc6694>.
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13, Specifications and Registration Procedures", BCP 13,
RFC 6838, DOI 10.17487/RFC6838, January 2013, RFC 6838, DOI 10.17487/RFC6838, January 2013,
<http://www.rfc-editor.org/info/rfc6838>. <http://www.rfc-editor.org/info/rfc6838>.
[RFC7303] Thompson, H. and C. Lilley, "XML Media Types", RFC 7303, [RFC7303] Thompson, H. and C. Lilley, "XML Media Types", RFC 7303,
DOI 10.17487/RFC7303, July 2014, DOI 10.17487/RFC7303, July 2014,
<http://www.rfc-editor.org/info/rfc7303>. <http://www.rfc-editor.org/info/rfc7303>.
[W3C.REC-html5-20141028] [W3C.REC-html5-20141028]
Hickson, I., Berjon, R., Faulkner, S., Leithead, T., Hickson, I., Berjon, R., Faulkner, S., Leithead, T.,
Navara, E., O&#039;Connor, T., and S. Pfeiffer, "HTML5", Navara, E., O'Connor, E., and S. Pfeiffer, "HTML5", W3C
World Wide Web Consortium Recommendation REC-html5- Recommendation REC-html5-20141028, October 2014,
20141028, October 2014,
<http://www.w3.org/TR/2014/REC-html5-20141028>. <http://www.w3.org/TR/2014/REC-html5-20141028>.
[W3C.REC-rdfa-core-20130822] [W3C.REC-rdfa-core-20130822]
Adida, B., Birbeck, M., McCarron, S., and I. Herman, "RDFa Adida, B., Birbeck, M., McCarron, S., and I. Herman, "RDFa
Core 1.1 - Second Edition", World Wide Web Consortium Core 1.1 - Second Edition", W3C Recommendation REC-rdfa-
Recommendation REC-rdfa-core-20130822, August 2013, core-20130822, August 2013,
<http://www.w3.org/TR/2013/REC-rdfa-core-20130822>. <http://www.w3.org/TR/2013/REC-rdfa-core-20130822>.
[W3C.REC-xml-stylesheet-20101028] [W3C.REC-xml-stylesheet-20101028]
Clark, J., Pieters, S., and H. Thompson, "Associating Clark, J., Pieters, S., and H. Thompson, "Associating
Style Sheets with XML documents 1.0 (Second Edition)", Style Sheets with XML documents 1.0 (Second Edition)", W3C
World Wide Web Consortium Recommendation REC-xml- Recommendation REC-xml-stylesheet-20101028, October 2010,
stylesheet-20101028, October 2010,
<http://www.w3.org/TR/2010/REC-xml-stylesheet-20101028>. <http://www.w3.org/TR/2010/REC-xml-stylesheet-20101028>.
URIs
[1] <https://www.ietf.org/mailman/listinfo/apps-discuss>
Appendix A. HTTP Problems and XML Appendix A. HTTP Problems and XML
Some HTTP-based APIs use XML [W3C.REC-xml-20081126] as their primary Some HTTP-based APIs use XML [W3C.REC-xml-20081126] as their primary
format convention. Such APIs can express problem details using the format convention. Such APIs can express problem details using the
format defined in this appendix. format defined in this appendix.
The RELAX NG schema [ISO-19757-2] for the XML format is as follows. The RELAX NG schema [ISO-19757-2] for the XML format is as follows.
Keep in mind that this schema is only meant as documentation, and not Keep in mind that this schema is only meant as documentation, and not
as a normative schema that captures all constraints of the XML as a normative schema that captures all constraints of the XML
format. Also, it would be possible to use other XML schema languages format. Also, it would be possible to use other XML schema languages
to define a similar set of constraints (depending on the features of to define a similar set of constraints (depending on the features of
the chosen schema language). the chosen schema language).
default namespace ns = "urn:ietf:rfc:XXXX" default namespace ns = "urn:ietf:rfc:7807"
start = problem start = problem
problem = problem =
element problem { element problem {
( element type { xsd:anyURI }? ( element type { xsd:anyURI }?
& element title { xsd:string }? & element title { xsd:string }?
& element detail { xsd:string }? & element detail { xsd:string }?
& element status { xsd:positiveInteger }? & element status { xsd:positiveInteger }?
& element instance { xsd:anyURI }? ), & element instance { xsd:anyURI }? ),
anyNsElement anyNsElement
} }
anyNsElement = anyNsElement =
( element ns:* { anyNsElement | text } ( element ns:* { anyNsElement | text }
| attribute * { text })* | attribute * { text })*
The media type for this format is "application/problem+xml". The media type for this format is "application/problem+xml".
Extension arrays and objects are serialized into the XML format by Extension arrays and objects are serialized into the XML format by
considering an element containing a child or children to represent an considering an element containing a child or children to represent an
object, except for elements that contain only child element(s) named object, except for elements that contain only child element(s) named
'i', which are considered arrays. For example, the XML version of 'i', which are considered arrays. For example, the example above
the example above appears in XML as follows: appears in XML as follows:
HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden
Content-Type: application/problem+xml Content-Type: application/problem+xml
Content-Language: en Content-Language: en
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<problem xmlns="urn:ietf:rfc:XXXX"> <problem xmlns="urn:ietf:rfc:XXXX">
<type>https://example.com/probs/out-of-credit</type> <type>https://example.com/probs/out-of-credit</type>
<title>You do not have enough credit.</title> <title>You do not have enough credit.</title>
<detail>Your current balance is 30, but that costs 50.</detail> <detail>Your current balance is 30, but that costs 50.</detail>
<instance>https://example.net/account/12345/msgs/abc</instance> <instance>https://example.net/account/12345/msgs/abc</instance>
<balance>30</balance> <balance>30</balance>
<accounts> <accounts>
<i>https://example.net/account/12345</i> <i>https://example.net/account/12345</i>
<i>https://example.net/account/67890</i> <i>https://example.net/account/67890</i>
</accounts> </accounts>
</problem> </problem>
Note that this format uses an XML Namespace. This is primarily to Note that this format uses an XML namespace. This is primarily to
allow embedding it into other XML-based formats; it does not imply allow embedding it into other XML-based formats; it does not imply
that it can or should be extended with elements or attributes in that it can or should be extended with elements or attributes in
other namespaces. The RELAX NG schema explicitly only allows other namespaces. The RELAX NG schema explicitly only allows
elements from the one namespace used in the XML format. Any elements from the one namespace used in the XML format. Any
extension arrays and objects MUST be serialized into XML markup using extension arrays and objects MUST be serialized into XML markup using
only that namespace. only that namespace.
When using the XML format, it is possible to embed an XML Processing When using the XML format, it is possible to embed an XML processing
Instruction in the XML that instructs clients to transform the XML, instruction in the XML that instructs clients to transform the XML,
using the referenced XSLT code [W3C.REC-xml-stylesheet-20101028]. If using the referenced XSLT code [W3C.REC-xml-stylesheet-20101028]. If
this code is transforming the XML into (X)HTML, then it is possible this code is transforming the XML into (X)HTML, then it is possible
to serve the XML format, and yet have clients capable of performing to serve the XML format, and yet have clients capable of performing
the transformation display human-friendly (X)HTML that is rendered the transformation display human-friendly (X)HTML that is rendered
and displayed at the client. Note that when using this method, it is and displayed at the client. Note that when using this method, it is
advisable to use XSLT 1.0, in order to maximize the number of clients advisable to use XSLT 1.0 in order to maximize the number of clients
capable of executing the XSLT code. capable of executing the XSLT code.
Appendix B. Using Problem Details with Other Formats Appendix B. Using Problem Details with Other Formats
In some situations, it can be advantageous to embed Problem Details In some situations, it can be advantageous to embed problem details
in formats other than those described here. For example, an API that in formats other than those described here. For example, an API that
uses HTML [W3C.REC-html5-20141028] might want to also use HTML for uses HTML [W3C.REC-html5-20141028] might want to also use HTML for
expressing its problem details. expressing its problem details.
Problem details can be embedded in other formats by either Problem details can be embedded in other formats either by
encapsulating one of the existing serializations (JSON or XML) into encapsulating one of the existing serializations (JSON or XML) into
that format, or by translating the model of a Problem Detail (as that format or by translating the model of a problem detail (as
specified in Section 3) into the format's conventions. specified in Section 3) into the format's conventions.
For example, in HTML, a problem could be embedded by encapsulating For example, in HTML, a problem could be embedded by encapsulating
JSON in a script tag: JSON in a script tag:
<script type="application/problem+json"> <script type="application/problem+json">
{ {
"type": "https://example.com/probs/out-of-credit", "type": "https://example.com/probs/out-of-credit",
"title": "You do not have enough credit.", "title": "You do not have enough credit.",
"detail": "Your current balance is 30, but that costs 50.", "detail": "Your current balance is 30, but that costs 50.",
"instance": "/account/12345/msgs/abc", "instance": "/account/12345/msgs/abc",
"balance": 30, "balance": 30,
"accounts": ["/account/12345", "accounts": ["/account/12345",
"/account/67890"] "/account/67890"]
} }
</script> </script>
or by inventing a mapping into RDFa [W3C.REC-rdfa-core-20130822]. or by inventing a mapping into RDFa [W3C.REC-rdfa-core-20130822].
This specification does not make specific recommendations regarding This specification does not make specific recommendations regarding
embedding Problem Details in other formats; the appropriate way to embedding problem details in other formats; the appropriate way to
embed them depends both upon the format in use and application of embed them depends both upon the format in use and application of
that format. that format.
Appendix C. Acknowledgements
The authors would like to thank Jan Algermissen, Subbu Allamaraju,
Mike Amundsen, Roy Fielding, Eran Hammer, Sam Johnston, Mike McCall,
Julian Reschke, and James Snell for review of this specification.
Authors' Addresses Authors' Addresses
Mark Nottingham Mark Nottingham
Akamai Akamai
Email: mnot@mnot.net Email: mnot@mnot.net
URI: http://www.mnot.net/ URI: https://www.mnot.net/
Erik Wilde Erik Wilde
Email: erik.wilde@dret.net Email: erik.wilde@dret.net
URI: http://dret.net/netdret/ URI: http://dret.net/netdret/
 End of changes. 95 change blocks. 
140 lines changed or deleted 184 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/