idnits 2.17.1 draft-ietf-httpapi-rfc7807bis-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC7807, but the abstract doesn't seem to directly say this. It does mention RFC7807 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 691 has weird spacing: '...element type ...' == Line 692 has weird spacing: '...element title...' == Line 693 has weird spacing: '...element detai...' == Line 694 has weird spacing: '...element statu...' == Line 695 has weird spacing: '...element insta...' == (1 more instance...) -- The document date (13 October 2021) is 898 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Normative reference to a draft: ref. 'HTTP' -- Possible downref: Non-RFC (?) normative reference: ref. 'XML' == Outdated reference: A later version (-01) exists of draft-bhutton-json-schema-00 Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPAPI M. Nottingham 3 Internet-Draft 4 Obsoletes: 7807 (if approved) E. Wilde 5 Intended status: Standards Track 6 Expires: 16 April 2022 S. Dalal 7 13 October 2021 9 Problem Details for HTTP APIs 10 draft-ietf-httpapi-rfc7807bis-01 12 Abstract 14 This document defines a "problem detail" as a way to carry machine- 15 readable details of errors in a HTTP response to avoid the need to 16 define new error response formats for HTTP APIs. 18 Discussion Venues 20 This note is to be removed before publishing as an RFC. 22 Source for this draft and an issue tracker can be found at 23 https://github.com/ietf-wg-httpapi/rfc7807bis. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on 16 April 2022. 42 Copyright Notice 44 Copyright (c) 2021 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 49 license-info) in effect on the date of publication of this document. 50 Please review these documents carefully, as they describe your rights 51 and restrictions with respect to this document. Code Components 52 extracted from this document must include Simplified BSD License text 53 as described in Section 4.e of the Trust Legal Provisions and are 54 provided without warranty as described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3. The Problem Details JSON Object . . . . . . . . . . . . . . . 4 61 3.1. Members of a Problem Details Object . . . . . . . . . . . 5 62 3.1.1. "type" . . . . . . . . . . . . . . . . . . . . . . . 5 63 3.1.2. "status" . . . . . . . . . . . . . . . . . . . . . . 6 64 3.1.3. "title" . . . . . . . . . . . . . . . . . . . . . . . 7 65 3.1.4. "detail" . . . . . . . . . . . . . . . . . . . . . . 7 66 3.1.5. "instance" . . . . . . . . . . . . . . . . . . . . . 7 67 3.2. Extension Members . . . . . . . . . . . . . . . . . . . . 8 68 4. Defining New Problem Types . . . . . . . . . . . . . . . . . 8 69 4.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 4.2. Registered Problem Types . . . . . . . . . . . . . . . . 10 71 4.2.1. about:blank . . . . . . . . . . . . . . . . . . . . . 11 72 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 73 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 74 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 75 7.1. Normative References . . . . . . . . . . . . . . . . . . 12 76 7.2. Informative References . . . . . . . . . . . . . . . . . 13 77 Appendix A. JSON Schema for HTTP Problems . . . . . . . . . . . 14 78 Appendix B. HTTP Problems and XML . . . . . . . . . . . . . . . 15 79 Appendix C. Using Problem Details with Other Formats . . . . . . 17 80 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 18 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 83 1. Introduction 85 HTTP [HTTP] status codes are sometimes not sufficient to convey 86 enough information about an error to be helpful. While humans behind 87 Web browsers can be informed about the nature of the problem with an 88 HTML [HTML5] response body, non-human consumers of so-called "HTTP 89 APIs" are usually not. 91 This specification defines simple JSON [RFC8259] and XML [XML] 92 document formats to suit this purpose. They are designed to be 93 reused by HTTP APIs, which can identify distinct "problem types" 94 specific to their needs. 96 Thus, API clients can be informed of both the high-level error class 97 (using the status code) and the finer-grained details of the problem 98 (using one of these formats). 100 For example, consider a response that indicates that the client's 101 account doesn't have enough credit. The 403 Forbidden status code 102 might be deemed most appropriate to use, as it will inform HTTP- 103 generic software (such as client libraries, caches, and proxies) of 104 the general semantics of the response. 106 However, that doesn't give the API client enough information about 107 why the request was forbidden, the applicable account balance, or how 108 to correct the problem. If these details are included in the 109 response body in a machine-readable format, the client can treat it 110 appropriately; for example, triggering a transfer of more credit into 111 the account. 113 This specification does this by identifying a specific type of 114 problem (e.g., "out of credit") with a URI [RFC3986]; HTTP APIs can 115 do this by nominating new URIs under their control, or by reusing 116 existing ones. 118 Additionally, problem details can contain other information, such as 119 a URI that identifies the specific occurrence of the problem 120 (effectively giving an identifier to the concept "The time Joe didn't 121 have enough credit last Thursday"), which can be useful for support 122 or forensic purposes. 124 The data model for problem details is a JSON [RFC8259] object; when 125 formatted as a JSON document, it uses the "application/problem+json" 126 media type. Appendix B defines how to express them in an equivalent 127 XML format, which uses the "application/problem+xml" media type. 129 Note that problem details are (naturally) not the only way to convey 130 the details of a problem in HTTP; if the response is still a 131 representation of a resource, for example, it's often preferable to 132 accommodate describing the relevant details in that application's 133 format. Likewise, in many situations, there is an appropriate HTTP 134 status code that does not require extra detail to be conveyed. 136 Instead, the aim of this specification is to define common error 137 formats for those applications that need one, so that they aren't 138 required to define their own, or worse, tempted to redefine the 139 semantics of existing HTTP status codes. Even if an application 140 chooses not to use it to convey errors, reviewing its design can help 141 guide the design decisions faced when conveying errors in an existing 142 format. 144 2. Requirements 146 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 147 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 148 "OPTIONAL" in this document are to be interpreted as described in BCP 149 14 [RFC2119] [RFC8174] when, and only when, they appear in all 150 capitals, as shown here. 152 3. The Problem Details JSON Object 154 The canonical model for problem details is a JSON [RFC8259] object. 156 When serialized as a JSON document, that format is identified with 157 the "application/problem+json" media type. 159 For example, an HTTP response carrying JSON problem details: 161 HTTP/1.1 403 Forbidden 162 Content-Type: application/problem+json 163 Content-Language: en 165 { 166 "type": "https://example.com/probs/out-of-credit", 167 "title": "You do not have enough credit.", 168 "detail": "Your current balance is 30, but that costs 50.", 169 "instance": "/account/12345/msgs/abc", 170 "balance": 30, 171 "accounts": ["/account/12345", 172 "/account/67890"] 173 } 175 Here, the out-of-credit problem (identified by its type URI) 176 indicates the reason for the 403 in "title", gives a reference for 177 the specific problem occurrence with "instance", gives occurrence- 178 specific details in "detail", and adds two extensions; "balance" 179 conveys the account's balance, and "accounts" gives links where the 180 account can be topped up. 182 The ability to convey problem-specific extensions allows more than 183 one problem to be conveyed. For example: 185 HTTP/1.1 400 Bad Request 186 Content-Type: application/problem+json 187 Content-Language: en 189 { 190 "type": "https://example.net/validation-error", 191 "title": "Your request parameters didn't validate.", 192 "invalid_params": [ { 193 "name": "age", 194 "reason": "must be a positive integer" 195 }, 196 { 197 "name": "color", 198 "reason": "must be 'green', 'red' or 'blue'"} 199 ] 200 } 202 Note that this requires each of the subproblems to be similar enough 203 to use the same HTTP status code. If they do not, the 207 (Multi- 204 Status) code [RFC4918] could be used to encapsulate multiple status 205 messages. 207 3.1. Members of a Problem Details Object 209 Problem detail objects can have the following members. If the type 210 of a member's value does not match the specified type, the member 211 MUST be ignored -- i.e., processing will continue as if the member 212 had not been present. 214 3.1.1. "type" 216 The "type" member is a JSON string containing a URI reference 217 [RFC3986] that identifies the problem type. Consumers MUST use the 218 "type" URI (after resolution, if necessary) as the primary identifier 219 for the problem type. 221 When this member is not present, its value is assumed to be 222 "about:blank". 224 If the type URI is a locator (e.g., those with a "http" or "https" 225 scheme), dereferencing it SHOULD provide human-readable documentation 226 for the problem type (e.g., using HTML [HTML5]). However, consumers 227 SHOULD NOT automatically dereference the type URI, unless they do so 228 in the course of providing information to developers (e.g., when a 229 debugging tool is in use). 231 When "type" contains a relative URI, it is resolved relative to the 232 document's base URI, as per [RFC3986], Section 5. However, using 233 relative URIs can cause confusion, and they might not be handled 234 correctly by all implementations. 236 For example, if the two resources "https://api.example.org/foo/ 237 bar/123" and "https://api.example.org/widget/456" both respond with a 238 "type" equal to the relative URI reference "example-problem", when 239 resolved they will identify different resources 240 ("https://api.example.org/foo/bar/example-problem" and 241 "https://api.example.org/widget/example-problem" respectively). As a 242 result, it is RECOMMENDED that absolute URIs be used in "type" when 243 possible, and that when relative URIs are used, they include the full 244 path (e.g., "/types/123"). 246 The type URI can also be a non-resolvable URI. For example, the tag 247 URI scheme [RFC4151] can be used to uniquely identify problem types: 249 tag:mnot@mnot.net,2021-09-17:OutOfLuck 251 Non-resolvable URIs ought not be used when there is some future 252 possibility that it might become desireable to do so. For example, 253 if the URI above were used in an API and later a tool was adopted 254 that resolves type URIs to discover information about the error, 255 taking advantage of that capability would require switching to a 256 resolvable URI, thereby creating a new identity for the problem type 257 and thus introducing a breaking change. 259 3.1.2. "status" 261 The "status" member is a JSON number indicating the HTTP status code 262 ([HTTP], Section 15) generated by the origin server for this 263 occurrence of the problem. 265 The "status" member, if present, is only advisory; it conveys the 266 HTTP status code used for the convenience of the consumer. 267 Generators MUST use the same status code in the actual HTTP response, 268 to assure that generic HTTP software that does not understand this 269 format still behaves correctly. See Section 5 for further caveats 270 regarding its use. 272 Consumers can use the status member to determine what the original 273 status code used by the generator was, in cases where it has been 274 changed (e.g., by an intermediary or cache), and when message bodies 275 persist without HTTP information. Generic HTTP software will still 276 use the HTTP status code. 278 3.1.3. "title" 280 The "title" member is a JSON string containing a short, human- 281 readable summary of the problem type. 283 It SHOULD NOT change from occurrence to occurrence of the problem, 284 except for purposes of localization (e.g., using proactive content 285 negotiation; see [HTTP], Section 12.1). 287 The "title" string is advisory and included only for users who are 288 not aware of the semantics of the URI and do not have the ability to 289 discover them (e.g., offline log analysis). 291 3.1.4. "detail" 293 The "detail" member is a JSON string containing a human-readable 294 explanation specific to this occurrence of the problem. 296 The "detail" member, if present, ought to focus on helping the client 297 correct the problem, rather than giving debugging information. 299 Consumers SHOULD NOT parse the "detail" member for information; 300 extensions are more suitable and less error-prone ways to obtain such 301 information. 303 3.1.5. "instance" 305 The "instance" member is a JSON string containing a URI reference 306 that identifies the specific occurrence of the problem. 308 When the "instance" URI is dereferenceable, the problem details 309 object can be fetched from it. It might also return information 310 about the problem occurrence in other formats through use of 311 proactive content negotiation (see [HTTP], Section 12.5.1). 313 When the "instance" URI is not dereferenceable, it serves as a unique 314 identifier for the problem occurrence that may be of significance to 315 the server, but is opaque to the client. 317 When "instance" contains a relative URI, it is resolved relative to 318 the document's base URI, as per [RFC3986], Section 5. However, using 319 relative URIs can cause confusion, and they might not be handled 320 correctly by all implementations. 322 For example, if the two resources "https://api.example.org/foo/ 323 bar/123" and "https://api.example.org/widget/456" both respond with 324 an "instance" equal to the relative URI reference "example-instance", 325 when resolved they will identify different resources 326 ("https://api.example.org/foo/bar/example-instance" and 327 "https://api.example.org/widget/example-instance" respectively). As 328 a result, it is RECOMMENDED that absolute URIs be used in "instance" 329 when possible, and that when relative URIs are used, they include the 330 full path (e.g., "/instances/123"). 332 3.2. Extension Members 334 Problem type definitions MAY extend the problem details object with 335 additional members. 337 For example, our "out of credit" problem above defines two such 338 extensions -- "balance" and "accounts" to convey additional, problem- 339 specific information. 341 Clients consuming problem details MUST ignore any such extensions 342 that they don't recognize; this allows problem types to evolve and 343 include additional information in the future. 345 Note that because extensions are effectively put into a namespace by 346 the problem type, it is not possible to define new "standard" members 347 without defining a new media type. 349 4. Defining New Problem Types 351 When an HTTP API needs to define a response that indicates an error 352 condition, it might be appropriate to do so by defining a new problem 353 type. 355 Before doing so, it's important to understand what they are good for, 356 and what's better left to other mechanisms. 358 Problem details are not a debugging tool for the underlying 359 implementation; rather, they are a way to expose greater detail about 360 the HTTP interface itself. Designers of new problem types need to 361 carefully consider the Security Considerations (Section 5), in 362 particular, the risk of exposing attack vectors by exposing 363 implementation internals through error messages. 365 Likewise, truly generic problems -- i.e., conditions that could 366 potentially apply to any resource on the Web -- are usually better 367 expressed as plain status codes. For example, a "write access 368 disallowed" problem is probably unnecessary, since a 403 Forbidden 369 status code in response to a PUT request is self-explanatory. 371 Finally, an application might have a more appropriate way to carry an 372 error in a format that it already defines. Problem details are 373 intended to avoid the necessity of establishing new "fault" or 374 "error" document formats, not to replace existing domain-specific 375 formats. 377 That said, it is possible to add support for problem details to 378 existing HTTP APIs using HTTP content negotiation (e.g., using the 379 Accept request header to indicate a preference for this format; see 380 [HTTP], Section 12.5.1). 382 New problem type definitions MUST document: 384 1. a type URI (typically, with the "http" or "https" scheme), 386 2. a title that appropriately describes it (think short), and 388 3. the HTTP status code for it to be used with. 390 Problem type definitions MAY specify the use of the Retry-After 391 response header ([HTTP], Section 10.2.3) in appropriate 392 circumstances. 394 A problem's type URI SHOULD resolve to HTML [HTML5] documentation 395 that explains how to resolve the problem. 397 A problem type definition MAY specify additional members on the 398 problem details object. For example, an extension might use typed 399 links [RFC8288] to another resource that can be used by machines to 400 resolve the problem. 402 If such additional members are defined, their names SHOULD start with 403 a letter (ALPHA, as per [RFC5234], Appendix B.1) and SHOULD consist 404 of characters from ALPHA, DIGIT ([RFC5234], Appendix B.1), and "_" 405 (so that it can be serialized in formats other than JSON), and they 406 SHOULD be three characters or longer. 408 4.1. Example 410 For example, if you are publishing an HTTP API to your online 411 shopping cart, you might need to indicate that the user is out of 412 credit (our example from above), and therefore cannot make the 413 purchase. 415 If you already have an application-specific format that can 416 accommodate this information, it's probably best to do that. 417 However, if you don't, you might consider using one of the problem 418 details formats -- JSON if your API is JSON-based, or XML if it uses 419 that format. 421 To do so, you might look for an already-defined type URI that suits 422 your purposes. If one is available, you can reuse that URI. 424 If one isn't available, you could mint and document a new type URI 425 (which ought to be under your control and stable over time), an 426 appropriate title and the HTTP status code that it will be used with, 427 along with what it means and how it should be handled. 429 In summary: an instance URI will always identify a specific 430 occurrence of a problem. On the other hand, type URIs can be reused 431 if an appropriate description of a problem type is already available 432 someplace else, or they can be created for new problem types. 434 4.2. Registered Problem Types 436 This specification defines the HTTP Problem Type registry for common, 437 widely-used problem type URIs, to promote reuse. 439 Registration requests are reviewed and approved by a Designated 440 Expert, as per [RFC8126], Section 4.5. A specification document is 441 appreciated, but not required. 443 When evaluating requests the Expert(s) should consider community 444 feedback, how well-defined the problem type is, and this 445 specification's requirements. Vendor-specific, application-specific, 446 and deployment-specific values are not registrable. 448 Registrations MAY use the prefix "https://iana.org/assignments/http- 449 problem-types#", and are encouraged to do so when a stable, neutral 450 URI is desirable. 452 Registration requests should use the following template: 454 * Type URI: [a URI for the problem type] 456 * Title: [a short description of the problem type] 458 * Recommended HTTP status code: [what status code is most 459 appropriate to use with the type] 461 * Reference: [to a specification defining the type] 462 See the registry at https://iana.org/assignments/http-problem-types 463 (https://iana.org/assignments/http-problem-types) for details on 464 where to send registration requests. 466 4.2.1. about:blank 468 This specification registers one Problem Type, "about:blank". 470 * Type URI: about:blank 472 * Title: See HTTP Status Code 474 * Recommended HTTP status code: N/A 476 * Reference: [this document] 478 The "about:blank" URI [RFC6694], when used as a problem type, 479 indicates that the problem has no additional semantics beyond that of 480 the HTTP status code. 482 When "about:blank" is used, the title SHOULD be the same as the 483 recommended HTTP status phrase for that code (e.g., "Not Found" for 484 404, and so on), although it MAY be localized to suit client 485 preferences (expressed with the Accept-Language request header). 487 Please note that according to how the "type" member is defined 488 (Section 3.1), the "about:blank" URI is the default value for that 489 member. Consequently, any problem details object not carrying an 490 explicit "type" member implicitly uses this URI. 492 5. Security Considerations 494 When defining a new problem type, the information included must be 495 carefully vetted. Likewise, when actually generating a problem -- 496 however it is serialized -- the details given must also be 497 scrutinized. 499 Risks include leaking information that can be exploited to compromise 500 the system, access to the system, or the privacy of users of the 501 system. 503 Generators providing links to occurrence information are encouraged 504 to avoid making implementation details such as a stack dump available 505 through the HTTP interface, since this can expose sensitive details 506 of the server implementation, its data, and so on. 508 The "status" member duplicates the information available in the HTTP 509 status code itself, thereby bringing the possibility of disagreement 510 between the two. Their relative precedence is not clear, since a 511 disagreement might indicate that (for example) an intermediary has 512 modified the HTTP status code in transit (e.g., by a proxy or cache). 514 As such, those defining problem types as well as generators and 515 consumers of problems need to be aware that generic software (such as 516 proxies, load balancers, firewalls, and virus scanners) are unlikely 517 to know of or respect the status code conveyed in this member. 519 6. IANA Considerations 521 Please update the "application/problem+json" and "application/ 522 problem+xml" registrations in the Internet media types registry 523 [RFC6838]. to refer to this document. 525 Please create the HTTP Problem Types Registry, as specified in 526 Section 4.2, and populate it with "about:blank" as per Section 4.2.1. 528 7. References 530 7.1. Normative References 532 [HTTP] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP 533 Semantics", Work in Progress, Internet-Draft, draft-ietf- 534 httpbis-semantics-19, 12 September 2021, 535 . 538 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 539 Requirement Levels", BCP 14, RFC 2119, 540 DOI 10.17487/RFC2119, March 1997, 541 . 543 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 544 Resource Identifier (URI): Generic Syntax", STD 66, 545 RFC 3986, DOI 10.17487/RFC3986, January 2005, 546 . 548 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 549 Specifications: ABNF", STD 68, RFC 5234, 550 DOI 10.17487/RFC5234, January 2008, 551 . 553 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 554 Writing an IANA Considerations Section in RFCs", BCP 26, 555 RFC 8126, DOI 10.17487/RFC8126, June 2017, 556 . 558 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 559 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 560 May 2017, . 562 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 563 Interchange Format", STD 90, RFC 8259, 564 DOI 10.17487/RFC8259, December 2017, 565 . 567 [XML] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and 568 F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth 569 Edition)", World Wide Web Consortium Recommendation REC- 570 xml-20081126, 26 November 2008, 571 . 573 7.2. Informative References 575 [HTML5] WHATWG, "HTML - Living Standard", n.d., 576 . 578 [I-D.draft-bhutton-json-schema-00] 579 Wright, A., Andrews, H., Hutton, B., and G. Dennis, "JSON 580 Schema: A Media Type for Describing JSON Documents", Work 581 in Progress, Internet-Draft, draft-bhutton-json-schema-00, 582 8 December 2020, . 585 [ISO-19757-2] 586 International Organization for Standardization, 587 "Information Technology -- Document Schema Definition 588 Languages (DSDL) -- Part 2: Grammar-based Validation -- 589 RELAX NG", ISO/IEC 19757-2, 2003. 591 [RDFA] Adida, B., Birbeck, M., McCarron, S., and I. Herman, "RDFa 592 Core 1.1 - Third Edition", World Wide Web Consortium 593 Recommendation REC-rdfa-core-20150317, 17 March 2015, 594 . 596 [RFC4151] Kindberg, T. and S. Hawke, "The 'tag' URI Scheme", 597 RFC 4151, DOI 10.17487/RFC4151, October 2005, 598 . 600 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 601 Authoring and Versioning (WebDAV)", RFC 4918, 602 DOI 10.17487/RFC4918, June 2007, 603 . 605 [RFC6694] Moonesamy, S., Ed., "The "about" URI Scheme", RFC 6694, 606 DOI 10.17487/RFC6694, August 2012, 607 . 609 [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type 610 Specifications and Registration Procedures", BCP 13, 611 RFC 6838, DOI 10.17487/RFC6838, January 2013, 612 . 614 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 615 DOI 10.17487/RFC8288, October 2017, 616 . 618 [XSLT] Clark, J., Pieters, S., and H. Thompson, "Associating 619 Style Sheets with XML documents 1.0 (Second Edition)", 620 World Wide Web Consortium Recommendation REC-xml- 621 stylesheet-20101028, 28 October 2010, 622 . 624 Appendix A. JSON Schema for HTTP Problems 626 This section presents a non-normative JSON Schema 627 [I-D.draft-bhutton-json-schema-00] for HTTP Problem Details. If 628 there is any disagreement between it and the text of the 629 specification, the latter prevails. 631 # NOTE: '\' line wrapping per RFC 8792 632 { 633 "$schema": "https://json-schema.org/draft/2020-12/schema", 634 "title": "A problem object RFC 7807bis", 635 "type": "object", 636 "properties": { 637 "type": { 638 "type": "string", 639 "format": "uri-reference", 640 "description": "A URI reference RFC3986 that identifies the \ 641 problem type." 642 }, 643 "title": { 644 "type": "string", 645 "description": "A short, human-readable summary of the \ 646 problem type. It SHOULD NOT change from occurrence to occurrence \ 647 of the problem, except for purposes of localization (e.g., using \ 648 proactive content negotiation; see RFC7231, Section 3.4)" 649 }, 650 "status": { 651 "type": "integer", 652 "description": "The HTTP status code (RFC7231, Section 6) \ 653 generated by the origin server for this occurrence of the problem.", 654 "minimum": 100, 655 "maximum": 599 656 }, 657 "detail": { 658 "type": "string", 659 "description": "A human-readable explanation specific to \ 660 this occurrence of the problem." 661 }, 662 "instance": { 663 "type": "string", 664 "format": "uri-reference", 665 "description": "A URI reference that identifies the \ 666 specific occurrence of the problem. It may or may not yield \ 667 further information if dereferenced." 668 } 669 } 670 } 672 Appendix B. HTTP Problems and XML 674 Some HTTP-based APIs use XML [XML] as their primary format 675 convention. Such APIs can express problem details using the format 676 defined in this appendix. 678 The RELAX NG schema [ISO-19757-2] for the XML format is as follows. 679 Keep in mind that this schema is only meant as documentation, and not 680 as a normative schema that captures all constraints of the XML 681 format. Also, it would be possible to use other XML schema languages 682 to define a similar set of constraints (depending on the features of 683 the chosen schema language). 685 default namespace ns = "urn:ietf:rfc:7807" 687 start = problem 689 problem = 690 element problem { 691 ( element type { xsd:anyURI }? 692 & element title { xsd:string }? 693 & element detail { xsd:string }? 694 & element status { xsd:positiveInteger }? 695 & element instance { xsd:anyURI }? ), 696 anyNsElement 697 } 699 anyNsElement = 700 ( element ns:* { anyNsElement | text } 701 | attribute * { text })* 703 The media type for this format is "application/problem+xml". 705 Extension arrays and objects are serialized into the XML format by 706 considering an element containing a child or children to represent an 707 object, except for elements that contain only child element(s) named 708 'i', which are considered arrays. For example, the example above 709 appears in XML as follows: 711 HTTP/1.1 403 Forbidden 712 Content-Type: application/problem+xml 713 Content-Language: en 715 716 717 https://example.com/probs/out-of-credit 718 You do not have enough credit. 719 Your current balance is 30, but that costs 50. 720 https://example.net/account/12345/msgs/abc 721 30 722 723 https://example.net/account/12345 724 https://example.net/account/67890 725 726 728 Note that this format uses an XML namespace. This is primarily to 729 allow embedding it into other XML-based formats; it does not imply 730 that it can or should be extended with elements or attributes in 731 other namespaces. The RELAX NG schema explicitly only allows 732 elements from the one namespace used in the XML format. Any 733 extension arrays and objects MUST be serialized into XML markup using 734 only that namespace. 736 When using the XML format, it is possible to embed an XML processing 737 instruction in the XML that instructs clients to transform the XML, 738 using the referenced XSLT code [XSLT]. If this code is transforming 739 the XML into (X)HTML, then it is possible to serve the XML format, 740 and yet have clients capable of performing the transformation display 741 human-friendly (X)HTML that is rendered and displayed at the client. 742 Note that when using this method, it is advisable to use XSLT 1.0 in 743 order to maximize the number of clients capable of executing the XSLT 744 code. 746 Appendix C. Using Problem Details with Other Formats 748 In some situations, it can be advantageous to embed problem details 749 in formats other than those described here. For example, an API that 750 uses HTML [HTML5] might want to also use HTML for expressing its 751 problem details. 753 Problem details can be embedded in other formats either by 754 encapsulating one of the existing serializations (JSON or XML) into 755 that format or by translating the model of a problem detail (as 756 specified in Section 3) into the format's conventions. 758 For example, in HTML, a problem could be embedded by encapsulating 759 JSON in a script tag: 761 773 or by inventing a mapping into RDFa [RDFA]. 775 This specification does not make specific recommendations regarding 776 embedding problem details in other formats; the appropriate way to 777 embed them depends both upon the format in use and application of 778 that format. 780 Acknowledgements 782 The authors would like to thank Jan Algermissen, Subbu Allamaraju, 783 Mike Amundsen, Roy Fielding, Eran Hammer, Sam Johnston, Mike McCall, 784 Julian Reschke, and James Snell for review of this specification. 786 Authors' Addresses 788 Mark Nottingham 789 Prahran 790 Australia 792 Email: mnot@mnot.net 793 URI: https://www.mnot.net/ 795 Erik Wilde 797 Email: erik.wilde@dret.net 798 URI: http://dret.net/netdret/ 800 Sanjay Dalal 802 Email: sanjay.dalal@cal.berkeley.edu 803 URI: https://github.com/sdatspun2