OAuth2 error responses claim to be XML, not JSON about orcid-source HOT 5 CLOSED

Yes the default content type is xml.

For json
curl -i -L -H 'Accept: application/json' --data 'client_id=0000-0003-2736-8061&client_secret=5f63d1c5-3f08-4fa5-b066-fd985ffd0df7&grant_type=authorization_code&code=Q70Y3A&redirect_uri=https://developers.google.com/oauthplayground' 'http://api.sandbox-1.orcid.org/oauth/token'

For xml
curl -i -L -H 'Accept: application/xml' --data 'client_id=0000-0003-2736-8061&client_secret=5f63d1c5-3f08-4fa5-b066-fd985ffd0df7&grant_type=authorization_code&code=Q70Y3A&redirect_uri=https://developers.google.com/oauthplayground' 'http://api.sandbox-1.orcid.org/oauth/token'

Please let me know if the above doesn't address your issue.

from orcid-source.

Curious. I suppose it's not too much of an issue as any OAuth2 library either asks for JSON (and so gets JSON), or doesn't ask for anything in particular (and then blindly attempts to parse the response as JSON, ignoring the content-type).

I was just concerned as I requested the token endpoint URL in Firefox, and got an invalid XML warning.

from orcid-source.

Hi Alex,
I'm not following why Firefox would be parsing XML. Please provide the issue you're concerned in reproducible curl statements.

from orcid-source.

My Firefox Accept header is "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8", which prefers XML to JSON. The token endpoint is returning JSON, but with a media type of application/xml. As a result, Firefox attempts to parse the JSON as XML, and gets upset.

Your second curl call returns the following response:

HTTP/1.1 401 Unauthorized
Server: nginx/1.1.19
Date: Thu, 23 Jan 2014 17:00:08 GMT
Content-Type: application/xml;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
Cache-Control: no-store
Pragma: no-cache
WWW-Authenticate: Bearer realm="ORCID T2 API", error="invalid_client", error_description="Client not found: 0000-0003-2736-8061"

{"error":"invalid_client","error_description":"Client not found: 0000-0003-2736-8061"}

(i.e. JSON, served as XML)

Again, it's trivial, and not likely to cause anyone any trouble.

from orcid-source.

Ah, sorry I got it. /oauth/token' only returns json!

curl -i -L -H 'Accept: application/xml' --data 'client_id=0000-0003-2736-8061&client_secret=5f63d1c5-3f08-4fa5-b066-fd985ffd0df7&grant_type=authorization_code&code=Q70Y3A&redirect_uri=https://developers.google.com/oauthplayground' 'http://api.sandbox-1.orcid.org/oauth/token'

Yes that does seem strange, but is part of the spec: http://tools.ietf.org/html/rfc6749 Or at lest how Spring Security implemented the spec.

from orcid-source.