draft-ietf-httpapi-rfc7807bis-02.txt   draft-ietf-httpapi-rfc7807bis-03.txt 
HTTPAPI M. Nottingham HTTPAPI M. Nottingham
Internet-Draft Internet-Draft
Obsoletes: 7807 (if approved) E. Wilde Obsoletes: 7807 (if approved) E. Wilde
Intended status: Standards Track Intended status: Standards Track
Expires: 18 October 2022 S. Dalal Expires: 26 November 2022 S. Dalal
16 April 2022 25 May 2022
Problem Details for HTTP APIs Problem Details for HTTP APIs
draft-ietf-httpapi-rfc7807bis-02 draft-ietf-httpapi-rfc7807bis-03
Abstract Abstract
This document defines a "problem detail" to carry machine-readable This document defines a "problem detail" to carry machine-readable
details of errors in a HTTP response to avoid the need to define new details of errors in HTTP response content and/or fields to avoid the
error response formats for HTTP APIs. need to define new error response formats for HTTP APIs.
Discussion Venues Discussion Venues
This note is to be removed before publishing as an RFC. This note is to be removed before publishing as an RFC.
Source for this draft and an issue tracker can be found at Source for this draft and an issue tracker can be found at
https://github.com/ietf-wg-httpapi/rfc7807bis. https://github.com/ietf-wg-httpapi/rfc7807bis.
Status of This Memo Status of This Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 18 October 2022. This Internet-Draft will expire on 26 November 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3
3. The Problem Details JSON Object . . . . . . . . . . . . . . . 4 3. The Problem Details JSON Object . . . . . . . . . . . . . . . 4
3.1. Members of a Problem Details Object . . . . . . . . . . . 5 3.1. Members of a Problem Details Object . . . . . . . . . . . 6
3.1.1. "type" . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.1. "type" . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2. "status" . . . . . . . . . . . . . . . . . . . . . . 6 3.1.2. "status" . . . . . . . . . . . . . . . . . . . . . . 7
3.1.3. "title" . . . . . . . . . . . . . . . . . . . . . . . 7 3.1.3. "title" . . . . . . . . . . . . . . . . . . . . . . . 7
3.1.4. "detail" . . . . . . . . . . . . . . . . . . . . . . 7 3.1.4. "detail" . . . . . . . . . . . . . . . . . . . . . . 7
3.1.5. "instance" . . . . . . . . . . . . . . . . . . . . . 7 3.1.5. "instance" . . . . . . . . . . . . . . . . . . . . . 8
3.2. Extension Members . . . . . . . . . . . . . . . . . . . . 8 3.2. Extension Members . . . . . . . . . . . . . . . . . . . . 8
4. Defining New Problem Types . . . . . . . . . . . . . . . . . 8 4. The Problem HTTP Field . . . . . . . . . . . . . . . . . . . 9
4.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 10 5. Defining New Problem Types . . . . . . . . . . . . . . . . . 10
4.2. Registered Problem Types . . . . . . . . . . . . . . . . 10 5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.2.1. about:blank . . . . . . . . . . . . . . . . . . . . . 11 5.2. Registered Problem Types . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5.2.1. about:blank . . . . . . . . . . . . . . . . . . . . . 12
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
7.1. Normative References . . . . . . . . . . . . . . . . . . 12 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
7.2. Informative References . . . . . . . . . . . . . . . . . 13 8.1. Normative References . . . . . . . . . . . . . . . . . . 14
Appendix A. JSON Schema for HTTP Problems . . . . . . . . . . . 14 8.2. Informative References . . . . . . . . . . . . . . . . . 15
Appendix B. HTTP Problems and XML . . . . . . . . . . . . . . . 15 Appendix A. JSON Schema for HTTP Problems . . . . . . . . . . . 16
Appendix C. Using Problem Details with Other Formats . . . . . . 17 Appendix B. HTTP Problems and XML . . . . . . . . . . . . . . . 17
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18 Appendix C. Using Problem Details with Other Formats . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20
1. Introduction 1. Introduction
HTTP status codes (Section 15 of [HTTP]) cannot always convey enough HTTP status codes (Section 15 of [HTTP]) cannot always convey enough
information about errors to be helpful. While humans using Web information about errors to be helpful. While humans using Web
browsers can often understand an HTML [HTML5] response body, non- browsers can often understand an HTML [HTML5] response body, non-
human consumers of HTTP APIs have difficulty doing so. human consumers of HTTP APIs have difficulty doing so.
To address that shortcoming, this specification defines simple JSON To address that shortcoming, this specification defines simple JSON
[RFC8259] and XML [XML] document formats to describe the specifics of [JSON] and XML [XML] document formats and a HTTP field to describe
problem(s) encountered -- "problem details". the specifics of problem(s) encountered -- "problem details".
For example, consider a response indicating that the client's account For example, consider a response indicating that the client's account
doesn't have enough credit. The API's designer might decide to use doesn't have enough credit. The API's designer might decide to use
the 403 Forbidden status code to inform HTTP-generic software (such the 403 Forbidden status code to inform HTTP-generic software (such
as client libraries, caches, and proxies) of the response's general as client libraries, caches, and proxies) of the response's general
semantics. API-specific problem details (such as the why the server semantics. API-specific problem details (such as the why the server
refused the request and the applicable account balance) can be refused the request and the applicable account balance) can be
carried in the response content, so that the client can act upon them carried in the response content, so that the client can act upon them
appropriately (for example, triggering a transfer of more credit into appropriately (for example, triggering a transfer of more credit into
the account). the account).
This specification identifies the specific "problem type" (e.g., "out This specification identifies the specific "problem type" (e.g., "out
of credit") with a URI [RFC3986]. HTTP APIs can use URIs under their of credit") with a URI [URI]. HTTP APIs can use URIs under their
control to identify problems specific to them, or can reuse existing control to identify problems specific to them, or can reuse existing
ones to facilitate interoperability and leverage common semantics ones to facilitate interoperability and leverage common semantics
(see Section 4.2). (see Section 5.2).
Problem details can contain other information, such as a URI Problem details can contain other information, such as a URI
identifying the problem's specific occurrence (effectively giving an identifying the problem's specific occurrence (effectively giving an
identifier to the concept "The time Joe didn't have enough credit identifier to the concept "The time Joe didn't have enough credit
last Thursday"), which can be useful for support or forensic last Thursday"), which can be useful for support or forensic
purposes. purposes.
The data model for problem details is a JSON [RFC8259] object; when The data model for problem details is a JSON [JSON] object; when
serialized as a JSON document, it uses the "application/problem+json" serialized as a JSON document, it uses the "application/problem+json"
media type. Appendix B defines an equivalent XML format, which uses media type. Appendix B defines an equivalent XML format, which uses
the "application/problem+xml" media type. the "application/problem+xml" media type.
Note that problem details are (naturally) not the only way to convey Note that problem details are (naturally) not the only way to convey
the details of a problem in HTTP. If the response is still a the details of a problem in HTTP. If the response is still a
representation of a resource, for example, it's often preferable to representation of a resource, for example, it's often preferable to
describe the relevant details in that application's format. describe the relevant details in that application's format.
Likewise, defined HTTP status codes cover many situations with no Likewise, defined HTTP status codes cover many situations with no
need to convey extra detail. need to convey extra detail.
This specification's aim is to define common error formats for This specification's aim is to define common error formats for
applications that need one so that they aren't required to define applications that need one so that they aren't required to define
their own, or worse, tempted to redefine the semantics of existing their own, or worse, tempted to redefine the semantics of existing
HTTP status codes. Even if an application chooses not to use it to HTTP status codes. Even if an application chooses not to use it to
convey errors, reviewing its design can help guide the design convey errors, reviewing its design can help guide the design
decisions faced when conveying errors in an existing format. decisions faced when conveying errors in an existing format.
2. Requirements 2. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
3. The Problem Details JSON Object This document uses the following terminology from [STRUCTURED-FIELDS]
to specify syntax and parsing: Dictionary, String, and Integer.
The canonical model for problem details is a JSON [RFC8259] object. 3. The Problem Details JSON Object
When serialized as a JSON document, that format is identified with The canonical model for problem details is a JSON [JSON] object.
When serialized in a JSON document, that format is identified with
the "application/problem+json" media type. the "application/problem+json" media type.
For example, an HTTP response carrying JSON problem details: For example:
POST /purchase HTTP/1.1
Host: store.example.com
Content-Type: application/json
Accept: application/json, application/problem+json
{
"item": 123456,
"quantity": 2
}
HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden
Content-Type: application/problem+json Content-Type: application/problem+json
Content-Language: en Content-Language: en
{ {
"type": "https://example.com/probs/out-of-credit", "type": "https://example.com/probs/out-of-credit",
"title": "You do not have enough credit.", "title": "You do not have enough credit.",
"detail": "Your current balance is 30, but that costs 50.", "detail": "Your current balance is 30, but that costs 50.",
"instance": "/account/12345/msgs/abc", "instance": "/account/12345/msgs/abc",
"balance": 30, "balance": 30,
"accounts": ["/account/12345", "accounts": ["/account/12345",
"/account/67890"] "/account/67890"]
} }
Here, the out-of-credit problem (identified by its type) indicates Here, the out-of-credit problem (identified by its type) indicates
the reason for the 403 in "title", identifies the specific problem the reason for the 403 in "title", identifies the specific problem
occurrence with "instance", gives occurrence-specific details in occurrence with "instance", gives occurrence-specific details in
"detail", and adds two extensions; "balance" conveys the account's "detail", and adds two extensions: "balance" conveys the account's
balance, and "accounts" lists links where the account can be topped balance, and "accounts" lists links where the account can be topped
up. up.
When designed to accommodate it, problem-specific extensions can When designed to accommodate it, problem-specific extensions can
allow more than one instance of the same problem type to be conveyed. allow more than one instance of the same problem type to be conveyed.
For example: For example:
POST /details HTTP/1.1
Host: account.example.com
Accept: application/json
{
"age": 42.3,
"profile": {
"color": "yellow"
}
}
HTTP/1.1 400 Bad Request HTTP/1.1 400 Bad Request
Content-Type: application/problem+json Content-Type: application/problem+json
Content-Language: en Content-Language: en
{ {
"type": "https://example.net/validation-error", "type": "https://example.net/validation-error",
"title": "Your request is not valid.", "title": "Your request is not valid.",
"causes": [ "errors": [
{ {
"detail": "must be a positive integer", "detail": "must be a positive integer",
"problem-pointer": "#/age" "pointer": "#/age"
}, },
{ {
"detail": "must be 'green', 'red' or 'blue'", "detail": "must be 'green', 'red' or 'blue'",
"problem-pointer": "#/profile/color" "pointer": "#/profile/color"
} }
] ]
} }
The fictional problem type here defines the "causes" extension, an The fictional problem type here defines the "errors" extension, an
array that describes the details of multiple occurrences. Each array that describes the details of each validation error. Each
member is an object containing "detail" to describe the issue, and member is an object containing "detail" to describe the issue, and
"problem-pointer" to locate the problem within the request's content "pointer" to locate the problem within the request's content using a
using a JSON Pointer [RFC6901]. JSON Pointer [JSON-POINTER].
When an API encounters multiple problems that do not share the same When an API encounters multiple problems that do not share the same
type, it is RECOMMENDED that the most relevant or urgent problem be type, it is RECOMMENDED that the most relevant or urgent problem be
represented in the response. While it is possible to create generic represented in the response. While it is possible to create generic
"batch" problem types that convey multiple, disparate types, they do "batch" problem types that convey multiple, disparate types, they do
not map well into HTTP semantics. not map well into HTTP semantics.
Note also that the API has responded with the application/
problem+json type, even though the client did not list it in Accept,
as is allowed by HTTP (see Section 12.5.1 of [HTTP]).
3.1. Members of a Problem Details Object 3.1. Members of a Problem Details Object
Problem detail objects can have the following members. If a member's Problem detail objects can have the following members. If a member's
value type does not match the specified type, the member MUST be value type does not match the specified type, the member MUST be
ignored -- i.e., processing will continue as if the member had not ignored -- i.e., processing will continue as if the member had not
been present. been present.
3.1.1. "type" 3.1.1. "type"
The "type" member is a JSON string containing a URI reference The "type" member is a JSON string containing a URI reference [URI]
[RFC3986] that identifies the problem type. Consumers MUST use the that identifies the problem type. Consumers MUST use the "type" URI
"type" URI (after resolution, if necessary) problem's primary (after resolution, if necessary) problem's primary identifier.
identifier.
When this member is not present, its value is assumed to be When this member is not present, its value is assumed to be
"about:blank". "about:blank".
If the type URI is a locator (e.g., those with a "http" or "https" If the type URI is a locator (e.g., those with a "http" or "https"
scheme), dereferencing it SHOULD provide human-readable documentation scheme), dereferencing it SHOULD provide human-readable documentation
for the problem type (e.g., using HTML [HTML5]). However, consumers for the problem type (e.g., using HTML [HTML5]). However, consumers
SHOULD NOT automatically dereference the type URI, unless they do so SHOULD NOT automatically dereference the type URI, unless they do so
when providing information to developers (e.g., when a debugging tool when providing information to developers (e.g., when a debugging tool
is in use). is in use).
When "type" contains a relative URI, it is resolved relative to the When "type" contains a relative URI, it is resolved relative to the
document's base URI, as per [RFC3986], Section 5. However, using document's base URI, as per [URI], Section 5. However, using
relative URIs can cause confusion, and they might not be handled relative URIs can cause confusion, and they might not be handled
correctly by all implementations. correctly by all implementations.
For example, if the two resources "https://api.example.org/foo/ For example, if the two resources "https://api.example.org/foo/
bar/123" and "https://api.example.org/widget/456" both respond with a bar/123" and "https://api.example.org/widget/456" both respond with a
"type" equal to the relative URI reference "example-problem", when "type" equal to the relative URI reference "example-problem", when
resolved they will identify different resources resolved they will identify different resources
("https://api.example.org/foo/bar/example-problem" and ("https://api.example.org/foo/bar/example-problem" and
"https://api.example.org/widget/example-problem" respectively). As a "https://api.example.org/widget/example-problem" respectively). As a
result, it is RECOMMENDED that absolute URIs be used in "type" when result, it is RECOMMENDED that absolute URIs be used in "type" when
possible, and that when relative URIs are used, they include the full possible, and that when relative URIs are used, they include the full
path (e.g., "/types/123"). path (e.g., "/types/123").
The type URI can also be a non-resolvable URI. For example, the tag The type URI can also be a non-resolvable URI. For example, the tag
URI scheme [RFC4151] can be used to uniquely identify problem types: URI scheme [TAG] can be used to uniquely identify problem types:
tag:mnot@mnot.net,2021-09-17:OutOfLuck tag:mnot@mnot.net,2021-09-17:OutOfLuck
Non-resolvable URIs ought not be used when there is some future Non-resolvable URIs ought not be used when there is some future
possibility that it might become desirable to do so. For example, if possibility that it might become desirable to do so. For example, if
an API designer used the URI above and later adopted a tool that an API designer used the URI above and later adopted a tool that
resolves type URIs to discover information about the error, taking resolves type URIs to discover information about the error, taking
advantage of that capability would require switching to a resolvable advantage of that capability would require switching to a resolvable
URI, creating a new identity for the problem type and thus URI, creating a new identity for the problem type and thus
introducing a breaking change. introducing a breaking change.
3.1.2. "status" 3.1.2. "status"
skipping to change at page 6, line 50 skipping to change at page 7, line 22
3.1.2. "status" 3.1.2. "status"
The "status" member is a JSON number indicating the HTTP status code The "status" member is a JSON number indicating the HTTP status code
([HTTP], Section 15) generated by the origin server for this ([HTTP], Section 15) generated by the origin server for this
occurrence of the problem. occurrence of the problem.
The "status" member, if present, is only advisory; it conveys the The "status" member, if present, is only advisory; it conveys the
HTTP status code used for the convenience of the consumer. HTTP status code used for the convenience of the consumer.
Generators MUST use the same status code in the actual HTTP response, Generators MUST use the same status code in the actual HTTP response,
to assure that generic HTTP software that does not understand this to assure that generic HTTP software that does not understand this
format still behaves correctly. See Section 5 for further caveats format still behaves correctly. See Section 6 for further caveats
regarding its use. regarding its use.
Consumers can use the status member to determine what the original Consumers can use the status member to determine what the original
status code used by the generator was, in cases where it has been status code used by the generator was, in cases where it has been
changed (e.g., by an intermediary or cache), and when message bodies changed (e.g., by an intermediary or cache), and when message bodies
persist without HTTP information. Generic HTTP software will still persist without HTTP information. Generic HTTP software will still
use the HTTP status code. use the HTTP status code.
3.1.3. "title" 3.1.3. "title"
skipping to change at page 8, line 6 skipping to change at page 8, line 24
When the "instance" URI is dereferenceable, the problem details When the "instance" URI is dereferenceable, the problem details
object can be fetched from it. It might also return information object can be fetched from it. It might also return information
about the problem occurrence in other formats through use of about the problem occurrence in other formats through use of
proactive content negotiation (see [HTTP], Section 12.5.1). proactive content negotiation (see [HTTP], Section 12.5.1).
When the "instance" URI is not dereferenceable, it serves as a unique When the "instance" URI is not dereferenceable, it serves as a unique
identifier for the problem occurrence that may be of significance to identifier for the problem occurrence that may be of significance to
the server, but is opaque to the client. the server, but is opaque to the client.
When "instance" contains a relative URI, it is resolved relative to When "instance" contains a relative URI, it is resolved relative to
the document's base URI, as per [RFC3986], Section 5. However, using the document's base URI, as per [URI], Section 5. However, using
relative URIs can cause confusion, and they might not be handled relative URIs can cause confusion, and they might not be handled
correctly by all implementations. correctly by all implementations.
For example, if the two resources "https://api.example.org/foo/ For example, if the two resources "https://api.example.org/foo/
bar/123" and "https://api.example.org/widget/456" both respond with bar/123" and "https://api.example.org/widget/456" both respond with
an "instance" equal to the relative URI reference "example-instance", an "instance" equal to the relative URI reference "example-instance",
when resolved they will identify different resources when resolved they will identify different resources
("https://api.example.org/foo/bar/example-instance" and ("https://api.example.org/foo/bar/example-instance" and
"https://api.example.org/widget/example-instance" respectively). As "https://api.example.org/widget/example-instance" respectively). As
a result, it is RECOMMENDED that absolute URIs be used in "instance" a result, it is RECOMMENDED that absolute URIs be used in "instance"
when possible, and that when relative URIs are used, they include the when possible, and that when relative URIs are used, they include the
full path (e.g., "/instances/123"). full path (e.g., "/instances/123").
3.2. Extension Members 3.2. Extension Members
Problem type definitions MAY extend the problem details object with Problem type definitions MAY extend the problem details object with
additional members. additional members that are specific to that problem type.
For example, our "out of credit" problem above defines two such For example, our "out of credit" problem above defines two such
extensions -- "balance" and "accounts" to convey additional, problem- extensions -- "balance" and "accounts" to convey additional, problem-
specific information. specific information.
Similarly, the "Multi-Status" example defines two extensions -- Similarly, the "validation error" example defines a "errors"
"causes" and "problem-pointer". Extensions like "problem-pointer" extension that contains a list of individual error occurrences found,
are more appropriate to use for problems associated with client side with details and a pointer to the location of each.
errors 4xx only.
Clients consuming problem details MUST ignore any such extensions Clients consuming problem details MUST ignore any such extensions
that they don't recognize; this allows problem types to evolve and that they don't recognize; this allows problem types to evolve and
include additional information in the future. include additional information in the future.
Note that because extensions are effectively put into a namespace by Future updates to this specification might define additional members
the problem type, it is not possible to define new "standard" members that are available to all problem types, distinguished by a name
without defining a new media type. starting with "*". To avoid conflicts, extension member names SHOULD
NOT start with the "*" character.
4. Defining New Problem Types When creating extensions, problem type authors should choose their
names carefully. To be used in the XML format (see Appendix B), they
will need to conform to the Name rule in Section 2.3 of [XML]. To be
used in the HTTP field (see Section 4), they will need to conform to
the Dictionary key syntax defined in Section 3.2 of
[STRUCTURED-FIELDS].
Problem type authors that wish their extensions to be usable in the
Problem HTTP field (see Section 4) will also need to define the
Structured Type(s) that their values are mapped to.
4. The Problem HTTP Field
Some problems might best be conveyed in a HTTP header or trailer
field, rather than in the message content. For example, when a
problem does not prevent a successful response from being generated,
or when the problem's details are useful to software that does not
inspect the response content.
The Problem HTTP field allows a limited expression of a problem
object in HTTP headers or trailers. It is a Dictionary Structured
Field (Section 3.2 of [STRUCTURED-FIELDS]) that can contain the
following keys, whose semantics and related requirements are
inherited from problem objects:
type: the type value (see Section 3.1.1), as a String
status: the status value (see Section 3.1.2), as an Integer
title: The title value (see Section 3.1.3), as a String
detail: The detail value (see Section 3.1.4), as a String
instance: The instance value (see Section 3.1.5), as a String
The title and detail values MUST NOT be serialized in the Problem
field if they contain characters that are not allowed by String; see
Section 3.3.3 of [STRUCTURED-FIELDS]. Practically, this has the
effect of limiting them to ASCII strings.
An extension member (see Section 3.2) MAY occur in the Problem field
if its name is compatible with the syntax of Dictionary keys (see
Section 3.2 of [STRUCTURED-FIELDS]) and if the defining problem type
specifies a Structured Type to serialize the value into.
For example:
HTTP/1.1 200 OK
Content-Type: application/json
Problem: type="https://example.net/problems/almost-out",
title="you're almost out of credit", credit_left=20
5. Defining New Problem Types
When an HTTP API needs to define a response that indicates an error When an HTTP API needs to define a response that indicates an error
condition, it might be appropriate to do so by defining a new problem condition, it might be appropriate to do so by defining a new problem
type. type.
Before doing so, it's important to understand what they are good for, Before doing so, it's important to understand what they are good for,
and what's better left to other mechanisms. and what's better left to other mechanisms.
Problem details are not a debugging tool for the underlying Problem details are not a debugging tool for the underlying
implementation; rather, they are a way to expose greater detail about implementation; rather, they are a way to expose greater detail about
the HTTP interface itself. Designers of new problem types need to the HTTP interface itself. Designers of new problem types need to
carefully consider the Security Considerations (Section 5), in carefully consider the Security Considerations (Section 6), in
particular, the risk of exposing attack vectors by exposing particular, the risk of exposing attack vectors by exposing
implementation internals through error messages. implementation internals through error messages.
Likewise, truly generic problems -- i.e., conditions that might apply Likewise, truly generic problems -- i.e., conditions that might apply
to any resource on the Web -- are usually better expressed as plain to any resource on the Web -- are usually better expressed as plain
status codes. For example, a "write access disallowed" problem is status codes. For example, a "write access disallowed" problem is
probably unnecessary, since a 403 Forbidden status code in response probably unnecessary, since a 403 Forbidden status code in response
to a PUT request is self-explanatory. to a PUT request is self-explanatory.
Finally, an application might have a more appropriate way to carry an Finally, an application might have a more appropriate way to carry an
skipping to change at page 9, line 46 skipping to change at page 11, line 17
Problem type definitions MAY specify the use of the Retry-After Problem type definitions MAY specify the use of the Retry-After
response header ([HTTP], Section 10.2.3) in appropriate response header ([HTTP], Section 10.2.3) in appropriate
circumstances. circumstances.
A problem's type URI SHOULD resolve to HTML [HTML5] documentation A problem's type URI SHOULD resolve to HTML [HTML5] documentation
that explains how to resolve the problem. that explains how to resolve the problem.
A problem type definition MAY specify additional members on the A problem type definition MAY specify additional members on the
problem details object. For example, an extension might use typed problem details object. For example, an extension might use typed
links [RFC8288] to another resource that machines can use to resolve links [WEB-LINKING] to another resource that machines can use to
the problem. resolve the problem.
If such additional members are defined, their names SHOULD start with If such additional members are defined, their names SHOULD start with
a letter (ALPHA, as per [RFC5234], Appendix B.1) and SHOULD comprise a letter (ALPHA, as per [ABNF], Appendix B.1) and SHOULD comprise
characters from ALPHA, DIGIT ([RFC5234], Appendix B.1), and "_" (so characters from ALPHA, DIGIT ([ABNF], Appendix B.1), and "_" (so that
that it can be serialized in formats other than JSON), and they it can be serialized in formats other than JSON), and they SHOULD be
SHOULD be three characters or longer. three characters or longer.
4.1. Example 5.1. Example
For example, if you are publishing an HTTP API to your online For example, if you are publishing an HTTP API to your online
shopping cart, you might need to indicate that the user is out of shopping cart, you might need to indicate that the user is out of
credit (our example from above), and therefore cannot make the credit (our example from above), and therefore cannot make the
purchase. purchase.
If you already have an application-specific format that can If you already have an application-specific format that can
accommodate this information, it's probably best to do that. accommodate this information, it's probably best to do that.
However, if you don't, you might use one of the problem details However, if you don't, you might use one of the problem details
formats -- JSON if your API is JSON-based, or XML if it uses that formats -- JSON if your API is JSON-based, or XML if it uses that
format. format.
To do so, you might look in the registry (Section 4.2) for an To do so, you might look in the registry (Section 5.2) for an
already-defined type URI that suits your purposes. If one is already-defined type URI that suits your purposes. If one is
available, you can reuse that URI. available, you can reuse that URI.
If one isn't available, you could mint and document a new type URI If one isn't available, you could mint and document a new type URI
(which ought to be under your control and stable over time), an (which ought to be under your control and stable over time), an
appropriate title and the HTTP status code that it will be used with, appropriate title and the HTTP status code that it will be used with,
along with what it means and how it should be handled. along with what it means and how it should be handled.
4.2. Registered Problem Types 5.2. Registered Problem Types
This specification defines the HTTP Problem Type registry for common, This specification defines the HTTP Problem Type registry for common,
widely-used problem type URIs, to promote reuse. widely-used problem type URIs, to promote reuse.
The policy for this registry is Specification Required, per The policy for this registry is Specification Required, per
[RFC8126], Section 4.5. [RFC8126], Section 4.5.
When evaluating requests, the Expert(s) should consider community When evaluating requests, the Expert(s) should consider community
feedback, how well-defined the problem type is, and this feedback, how well-defined the problem type is, and this
specification's requirements. Vendor-specific, application-specific, specification's requirements. Vendor-specific, application-specific,
skipping to change at page 11, line 18 skipping to change at page 12, line 33
* Recommended HTTP status code: [what status code is most * Recommended HTTP status code: [what status code is most
appropriate to use with the type] appropriate to use with the type]
* Reference: [to a specification defining the type] * Reference: [to a specification defining the type]
See the registry at https://iana.org/assignments/http-problem-types See the registry at https://iana.org/assignments/http-problem-types
(https://iana.org/assignments/http-problem-types) for details on (https://iana.org/assignments/http-problem-types) for details on
where to send registration requests. where to send registration requests.
4.2.1. about:blank 5.2.1. about:blank
This specification registers one Problem Type, "about:blank". This specification registers one Problem Type, "about:blank".
* Type URI: about:blank * Type URI: about:blank
* Title: See HTTP Status Code * Title: See HTTP Status Code
* Recommended HTTP status code: N/A * Recommended HTTP status code: N/A
* Reference: [this document] * Reference: [this document]
The "about:blank" URI [RFC6694], when used as a problem type, The "about:blank" URI [ABOUT], when used as a problem type, indicates
indicates that the problem has no additional semantics beyond that of that the problem has no additional semantics beyond that of the HTTP
the HTTP status code. status code.
When "about:blank" is used, the title SHOULD be the same as the When "about:blank" is used, the title SHOULD be the same as the
recommended HTTP status phrase for that code (e.g., "Not Found" for recommended HTTP status phrase for that code (e.g., "Not Found" for
404, and so on), although it MAY be localized to suit client 404, and so on), although it MAY be localized to suit client
preferences (expressed with the Accept-Language request header). preferences (expressed with the Accept-Language request header).
Please note that according to how the "type" member is defined Please note that according to how the "type" member is defined
(Section 3.1), the "about:blank" URI is the default value for that (Section 3.1), the "about:blank" URI is the default value for that
member. Consequently, any problem details object not carrying an member. Consequently, any problem details object not carrying an
explicit "type" member implicitly uses this URI. explicit "type" member implicitly uses this URI.
5. Security Considerations 6. Security Considerations
When defining a new problem type, the information included must be When defining a new problem type, the information included must be
carefully vetted. Likewise, when actually generating a problem -- carefully vetted. Likewise, when actually generating a problem --
however it is serialized -- the details given must also be however it is serialized -- the details given must also be
scrutinized. scrutinized.
Risks include leaking information that can be exploited to compromise Risks include leaking information that can be exploited to compromise
the system, access to the system, or the privacy of users of the the system, access to the system, or the privacy of users of the
system. system.
skipping to change at page 12, line 23 skipping to change at page 13, line 35
The "status" member duplicates the information available in the HTTP The "status" member duplicates the information available in the HTTP
status code itself, bringing the possibility of disagreement between status code itself, bringing the possibility of disagreement between
the two. Their relative precedence is not clear, since a the two. Their relative precedence is not clear, since a
disagreement might indicate that (for example) an intermediary has disagreement might indicate that (for example) an intermediary has
changed the HTTP status code in transit (e.g., by a proxy or cache). changed the HTTP status code in transit (e.g., by a proxy or cache).
Generic HTTP software (such as proxies, load balancers, firewalls, Generic HTTP software (such as proxies, load balancers, firewalls,
and virus scanners) are unlikely to know of or respect the status and virus scanners) are unlikely to know of or respect the status
code conveyed in this member. code conveyed in this member.
6. IANA Considerations 7. IANA Considerations
Please update the "application/problem+json" and "application/ Please update the "application/problem+json" and "application/
problem+xml" registrations in the Internet media types registry problem+xml" registrations in the "Media Types" registry to refer to
[RFC6838]. to refer to this document. this document.
Please create the HTTP Problem Types Registry, as specified in Please create the "HTTP Problem Types Registry" as specified in
Section 4.2, and populate it with "about:blank" as per Section 4.2.1. Section 5.2, and populate it with "about:blank" as per Section 5.2.1.
7. References Please register the following entry into the "Hypertext Transfer
Protocol (HTTP) Field Name Registry":
7.1. Normative References Field Name: Problem
Status: Permanent
Reference: RFC nnnn
8. References
8.1. Normative References
[ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/rfc/rfc5234>.
[HTTP] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP [HTTP] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP
Semantics", Work in Progress, Internet-Draft, draft-ietf- Semantics", Work in Progress, Internet-Draft, draft-ietf-
httpbis-semantics-19, 12 September 2021, httpbis-semantics-19, 12 September 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-httpbis- <https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-
semantics-19>. semantics-19>.
[JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/rfc/rfc8259>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>. <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/rfc/rfc3986>.
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/rfc/rfc5234>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26, Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017, RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/rfc/rfc8126>. <https://www.rfc-editor.org/rfc/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>. May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [STRUCTURED-FIELDS]
Interchange Format", STD 90, RFC 8259, Nottingham, M. and P-H. Kamp, "Structured Field Values for
DOI 10.17487/RFC8259, December 2017, HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021,
<https://www.rfc-editor.org/rfc/rfc8259>. <https://www.rfc-editor.org/rfc/rfc8941>.
[URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/rfc/rfc3986>.
[XML] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and [XML] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and
F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth
Edition)", World Wide Web Consortium Recommendation REC- Edition)", World Wide Web Consortium Recommendation REC-
xml-20081126, 26 November 2008, xml-20081126, 26 November 2008,
<https://www.w3.org/TR/2008/REC-xml-20081126>. <https://www.w3.org/TR/2008/REC-xml-20081126>.
7.2. Informative References 8.2. Informative References
[ABOUT] Moonesamy, S., Ed., "The "about" URI Scheme", RFC 6694,
DOI 10.17487/RFC6694, August 2012,
<https://www.rfc-editor.org/rfc/rfc6694>.
[HTML5] WHATWG, "HTML - Living Standard", n.d., [HTML5] WHATWG, "HTML - Living Standard", n.d.,
<https://html.spec.whatwg.org>. <https://html.spec.whatwg.org>.
[I-D.draft-bhutton-json-schema-00]
Wright, A., Andrews, H., Hutton, B., and G. Dennis, "JSON
Schema: A Media Type for Describing JSON Documents", Work
in Progress, Internet-Draft, draft-bhutton-json-schema-00,
8 December 2020, <https://datatracker.ietf.org/doc/html/
draft-bhutton-json-schema-00>.
[ISO-19757-2] [ISO-19757-2]
International Organization for Standardization, International Organization for Standardization,
"Information Technology -- Document Schema Definition "Information Technology -- Document Schema Definition
Languages (DSDL) -- Part 2: Grammar-based Validation -- Languages (DSDL) -- Part 2: Grammar-based Validation --
RELAX NG", ISO/IEC 19757-2, 2003. RELAX NG", ISO/IEC 19757-2, 2003.
[JSON-POINTER]
Bryan, P., Ed., Zyp, K., and M. Nottingham, Ed.,
"JavaScript Object Notation (JSON) Pointer", RFC 6901,
DOI 10.17487/RFC6901, April 2013,
<https://www.rfc-editor.org/rfc/rfc6901>.
[JSON-SCHEMA]
Wright, A., Andrews, H., Hutton, B., and G. Dennis, "JSON
Schema: A Media Type for Describing JSON Documents", Work
in Progress, Internet-Draft, draft-bhutton-json-schema-00,
8 December 2020, <https://datatracker.ietf.org/doc/html/
draft-bhutton-json-schema-00>.
[RDFA] Adida, B., Birbeck, M., McCarron, S., and I. Herman, "RDFa [RDFA] Adida, B., Birbeck, M., McCarron, S., and I. Herman, "RDFa
Core 1.1 - Third Edition", World Wide Web Consortium Core 1.1 - Third Edition", World Wide Web Consortium
Recommendation REC-rdfa-core-20150317, 17 March 2015, Recommendation REC-rdfa-core-20150317, 17 March 2015,
<https://www.w3.org/TR/2015/REC-rdfa-core-20150317>. <https://www.w3.org/TR/2015/REC-rdfa-core-20150317>.
[RFC4151] Kindberg, T. and S. Hawke, "The 'tag' URI Scheme", [TAG] Kindberg, T. and S. Hawke, "The 'tag' URI Scheme",
RFC 4151, DOI 10.17487/RFC4151, October 2005, RFC 4151, DOI 10.17487/RFC4151, October 2005,
<https://www.rfc-editor.org/rfc/rfc4151>. <https://www.rfc-editor.org/rfc/rfc4151>.
[RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed [WEB-LINKING]
Authoring and Versioning (WebDAV)", RFC 4918, Nottingham, M., "Web Linking", RFC 8288,
DOI 10.17487/RFC4918, June 2007,
<https://www.rfc-editor.org/rfc/rfc4918>.
[RFC6694] Moonesamy, S., Ed., "The "about" URI Scheme", RFC 6694,
DOI 10.17487/RFC6694, August 2012,
<https://www.rfc-editor.org/rfc/rfc6694>.
[RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type
Specifications and Registration Procedures", BCP 13,
RFC 6838, DOI 10.17487/RFC6838, January 2013,
<https://www.rfc-editor.org/rfc/rfc6838>.
[RFC6901] Bryan, P., Ed., Zyp, K., and M. Nottingham, Ed.,
"JavaScript Object Notation (JSON) Pointer", RFC 6901,
DOI 10.17487/RFC6901, April 2013,
<https://www.rfc-editor.org/rfc/rfc6901>.
[RFC8288] Nottingham, M., "Web Linking", RFC 8288,
DOI 10.17487/RFC8288, October 2017, DOI 10.17487/RFC8288, October 2017,
<https://www.rfc-editor.org/rfc/rfc8288>. <https://www.rfc-editor.org/rfc/rfc8288>.
[XSLT] Clark, J., Pieters, S., and H. Thompson, "Associating [XSLT] Clark, J., Pieters, S., and H. Thompson, "Associating
Style Sheets with XML documents 1.0 (Second Edition)", Style Sheets with XML documents 1.0 (Second Edition)",
World Wide Web Consortium Recommendation REC-xml- World Wide Web Consortium Recommendation REC-xml-
stylesheet-20101028, 28 October 2010, stylesheet-20101028, 28 October 2010,
<https://www.w3.org/TR/2010/REC-xml-stylesheet-20101028>. <https://www.w3.org/TR/2010/REC-xml-stylesheet-20101028>.
Appendix A. JSON Schema for HTTP Problems Appendix A. JSON Schema for HTTP Problems
This section presents a non-normative JSON Schema This section presents a non-normative JSON Schema [JSON-SCHEMA] for
[I-D.draft-bhutton-json-schema-00] for HTTP Problem Details. If HTTP Problem Details. If there is any disagreement between it and
there is any disagreement between it and the text of the the text of the specification, the latter prevails.
specification, the latter prevails.
# NOTE: '\' line wrapping per RFC 8792 # NOTE: '\' line wrapping per RFC 8792
{ {
"$schema": "https://json-schema.org/draft/2020-12/schema", "$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "A problem object RFC 7807bis", "title": "A problem object RFC 7807bis",
"type": "object", "type": "object",
"properties": { "properties": {
"type": { "type": {
"type": "string", "type": "string",
"format": "uri-reference", "format": "uri-reference",
 End of changes. 58 change blocks. 
130 lines changed or deleted 213 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/