idnits 2.17.1 draft-ietf-httpapi-rfc7807bis-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC7807, but the abstract doesn't seem to directly say this. It does mention RFC7807 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 773 has weird spacing: '...element type ...' == Line 774 has weird spacing: '...element title...' == Line 775 has weird spacing: '...element detai...' == Line 776 has weird spacing: '...element statu...' == Line 777 has weird spacing: '...element insta...' == (1 more instance...) -- The document date (25 May 2022) is 701 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Normative reference to a draft: ref. 'HTTP' -- Possible downref: Non-RFC (?) normative reference: ref. 'XML' == Outdated reference: A later version (-01) exists of draft-bhutton-json-schema-00 Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTPAPI M. Nottingham 3 Internet-Draft 4 Obsoletes: 7807 (if approved) E. Wilde 5 Intended status: Standards Track 6 Expires: 26 November 2022 S. Dalal 7 25 May 2022 9 Problem Details for HTTP APIs 10 draft-ietf-httpapi-rfc7807bis-03 12 Abstract 14 This document defines a "problem detail" to carry machine-readable 15 details of errors in HTTP response content and/or fields to avoid the 16 need to define new error response formats for HTTP APIs. 18 Discussion Venues 20 This note is to be removed before publishing as an RFC. 22 Source for this draft and an issue tracker can be found at 23 https://github.com/ietf-wg-httpapi/rfc7807bis. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on 26 November 2022. 42 Copyright Notice 44 Copyright (c) 2022 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 49 license-info) in effect on the date of publication of this document. 50 Please review these documents carefully, as they describe your rights 51 and restrictions with respect to this document. Code Components 52 extracted from this document must include Revised BSD License text as 53 described in Section 4.e of the Trust Legal Provisions and are 54 provided without warranty as described in the Revised BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 3 60 3. The Problem Details JSON Object . . . . . . . . . . . . . . . 4 61 3.1. Members of a Problem Details Object . . . . . . . . . . . 6 62 3.1.1. "type" . . . . . . . . . . . . . . . . . . . . . . . 6 63 3.1.2. "status" . . . . . . . . . . . . . . . . . . . . . . 7 64 3.1.3. "title" . . . . . . . . . . . . . . . . . . . . . . . 7 65 3.1.4. "detail" . . . . . . . . . . . . . . . . . . . . . . 7 66 3.1.5. "instance" . . . . . . . . . . . . . . . . . . . . . 8 67 3.2. Extension Members . . . . . . . . . . . . . . . . . . . . 8 68 4. The Problem HTTP Field . . . . . . . . . . . . . . . . . . . 9 69 5. Defining New Problem Types . . . . . . . . . . . . . . . . . 10 70 5.1. Example . . . . . . . . . . . . . . . . . . . . . . . . . 11 71 5.2. Registered Problem Types . . . . . . . . . . . . . . . . 11 72 5.2.1. about:blank . . . . . . . . . . . . . . . . . . . . . 12 73 6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 75 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 76 8.1. Normative References . . . . . . . . . . . . . . . . . . 14 77 8.2. Informative References . . . . . . . . . . . . . . . . . 15 78 Appendix A. JSON Schema for HTTP Problems . . . . . . . . . . . 16 79 Appendix B. HTTP Problems and XML . . . . . . . . . . . . . . . 17 80 Appendix C. Using Problem Details with Other Formats . . . . . . 19 81 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 20 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 84 1. Introduction 86 HTTP status codes (Section 15 of [HTTP]) cannot always convey enough 87 information about errors to be helpful. While humans using Web 88 browsers can often understand an HTML [HTML5] response body, non- 89 human consumers of HTTP APIs have difficulty doing so. 91 To address that shortcoming, this specification defines simple JSON 92 [JSON] and XML [XML] document formats and a HTTP field to describe 93 the specifics of problem(s) encountered -- "problem details". 95 For example, consider a response indicating that the client's account 96 doesn't have enough credit. The API's designer might decide to use 97 the 403 Forbidden status code to inform HTTP-generic software (such 98 as client libraries, caches, and proxies) of the response's general 99 semantics. API-specific problem details (such as the why the server 100 refused the request and the applicable account balance) can be 101 carried in the response content, so that the client can act upon them 102 appropriately (for example, triggering a transfer of more credit into 103 the account). 105 This specification identifies the specific "problem type" (e.g., "out 106 of credit") with a URI [URI]. HTTP APIs can use URIs under their 107 control to identify problems specific to them, or can reuse existing 108 ones to facilitate interoperability and leverage common semantics 109 (see Section 5.2). 111 Problem details can contain other information, such as a URI 112 identifying the problem's specific occurrence (effectively giving an 113 identifier to the concept "The time Joe didn't have enough credit 114 last Thursday"), which can be useful for support or forensic 115 purposes. 117 The data model for problem details is a JSON [JSON] object; when 118 serialized as a JSON document, it uses the "application/problem+json" 119 media type. Appendix B defines an equivalent XML format, which uses 120 the "application/problem+xml" media type. 122 Note that problem details are (naturally) not the only way to convey 123 the details of a problem in HTTP. If the response is still a 124 representation of a resource, for example, it's often preferable to 125 describe the relevant details in that application's format. 126 Likewise, defined HTTP status codes cover many situations with no 127 need to convey extra detail. 129 This specification's aim is to define common error formats for 130 applications that need one so that they aren't required to define 131 their own, or worse, tempted to redefine the semantics of existing 132 HTTP status codes. Even if an application chooses not to use it to 133 convey errors, reviewing its design can help guide the design 134 decisions faced when conveying errors in an existing format. 136 2. Notational Conventions 138 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 139 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 140 "OPTIONAL" in this document are to be interpreted as described in BCP 141 14 [RFC2119] [RFC8174] when, and only when, they appear in all 142 capitals, as shown here. 144 This document uses the following terminology from [STRUCTURED-FIELDS] 145 to specify syntax and parsing: Dictionary, String, and Integer. 147 3. The Problem Details JSON Object 149 The canonical model for problem details is a JSON [JSON] object. 150 When serialized in a JSON document, that format is identified with 151 the "application/problem+json" media type. 153 For example: 155 POST /purchase HTTP/1.1 156 Host: store.example.com 157 Content-Type: application/json 158 Accept: application/json, application/problem+json 160 { 161 "item": 123456, 162 "quantity": 2 163 } 165 HTTP/1.1 403 Forbidden 166 Content-Type: application/problem+json 167 Content-Language: en 169 { 170 "type": "https://example.com/probs/out-of-credit", 171 "title": "You do not have enough credit.", 172 "detail": "Your current balance is 30, but that costs 50.", 173 "instance": "/account/12345/msgs/abc", 174 "balance": 30, 175 "accounts": ["/account/12345", 176 "/account/67890"] 177 } 179 Here, the out-of-credit problem (identified by its type) indicates 180 the reason for the 403 in "title", identifies the specific problem 181 occurrence with "instance", gives occurrence-specific details in 182 "detail", and adds two extensions: "balance" conveys the account's 183 balance, and "accounts" lists links where the account can be topped 184 up. 186 When designed to accommodate it, problem-specific extensions can 187 allow more than one instance of the same problem type to be conveyed. 188 For example: 190 POST /details HTTP/1.1 191 Host: account.example.com 192 Accept: application/json 194 { 195 "age": 42.3, 196 "profile": { 197 "color": "yellow" 198 } 199 } 201 HTTP/1.1 400 Bad Request 202 Content-Type: application/problem+json 203 Content-Language: en 205 { 206 "type": "https://example.net/validation-error", 207 "title": "Your request is not valid.", 208 "errors": [ 209 { 210 "detail": "must be a positive integer", 211 "pointer": "#/age" 212 }, 213 { 214 "detail": "must be 'green', 'red' or 'blue'", 215 "pointer": "#/profile/color" 216 } 217 ] 218 } 220 The fictional problem type here defines the "errors" extension, an 221 array that describes the details of each validation error. Each 222 member is an object containing "detail" to describe the issue, and 223 "pointer" to locate the problem within the request's content using a 224 JSON Pointer [JSON-POINTER]. 226 When an API encounters multiple problems that do not share the same 227 type, it is RECOMMENDED that the most relevant or urgent problem be 228 represented in the response. While it is possible to create generic 229 "batch" problem types that convey multiple, disparate types, they do 230 not map well into HTTP semantics. 232 Note also that the API has responded with the application/ 233 problem+json type, even though the client did not list it in Accept, 234 as is allowed by HTTP (see Section 12.5.1 of [HTTP]). 236 3.1. Members of a Problem Details Object 238 Problem detail objects can have the following members. If a member's 239 value type does not match the specified type, the member MUST be 240 ignored -- i.e., processing will continue as if the member had not 241 been present. 243 3.1.1. "type" 245 The "type" member is a JSON string containing a URI reference [URI] 246 that identifies the problem type. Consumers MUST use the "type" URI 247 (after resolution, if necessary) problem's primary identifier. 249 When this member is not present, its value is assumed to be 250 "about:blank". 252 If the type URI is a locator (e.g., those with a "http" or "https" 253 scheme), dereferencing it SHOULD provide human-readable documentation 254 for the problem type (e.g., using HTML [HTML5]). However, consumers 255 SHOULD NOT automatically dereference the type URI, unless they do so 256 when providing information to developers (e.g., when a debugging tool 257 is in use). 259 When "type" contains a relative URI, it is resolved relative to the 260 document's base URI, as per [URI], Section 5. However, using 261 relative URIs can cause confusion, and they might not be handled 262 correctly by all implementations. 264 For example, if the two resources "https://api.example.org/foo/ 265 bar/123" and "https://api.example.org/widget/456" both respond with a 266 "type" equal to the relative URI reference "example-problem", when 267 resolved they will identify different resources 268 ("https://api.example.org/foo/bar/example-problem" and 269 "https://api.example.org/widget/example-problem" respectively). As a 270 result, it is RECOMMENDED that absolute URIs be used in "type" when 271 possible, and that when relative URIs are used, they include the full 272 path (e.g., "/types/123"). 274 The type URI can also be a non-resolvable URI. For example, the tag 275 URI scheme [TAG] can be used to uniquely identify problem types: 277 tag:mnot@mnot.net,2021-09-17:OutOfLuck 278 Non-resolvable URIs ought not be used when there is some future 279 possibility that it might become desirable to do so. For example, if 280 an API designer used the URI above and later adopted a tool that 281 resolves type URIs to discover information about the error, taking 282 advantage of that capability would require switching to a resolvable 283 URI, creating a new identity for the problem type and thus 284 introducing a breaking change. 286 3.1.2. "status" 288 The "status" member is a JSON number indicating the HTTP status code 289 ([HTTP], Section 15) generated by the origin server for this 290 occurrence of the problem. 292 The "status" member, if present, is only advisory; it conveys the 293 HTTP status code used for the convenience of the consumer. 294 Generators MUST use the same status code in the actual HTTP response, 295 to assure that generic HTTP software that does not understand this 296 format still behaves correctly. See Section 6 for further caveats 297 regarding its use. 299 Consumers can use the status member to determine what the original 300 status code used by the generator was, in cases where it has been 301 changed (e.g., by an intermediary or cache), and when message bodies 302 persist without HTTP information. Generic HTTP software will still 303 use the HTTP status code. 305 3.1.3. "title" 307 The "title" member is a JSON string containing a short, human- 308 readable summary of the problem type. 310 It SHOULD NOT change from occurrence to occurrence of the problem, 311 except for localization (e.g., using proactive content negotiation; 312 see [HTTP], Section 12.1). 314 The "title" string is advisory and included only for users who are 315 not aware of the semantics of the URI and can not discover them 316 (e.g., during offline log analysis). 318 3.1.4. "detail" 320 The "detail" member is a JSON string containing a human-readable 321 explanation specific to this occurrence of the problem. 323 The "detail" member, if present, ought to focus on helping the client 324 correct the problem, rather than giving debugging information. 326 Consumers SHOULD NOT parse the "detail" member for information; 327 extensions are more suitable and less error-prone ways to obtain such 328 information. 330 3.1.5. "instance" 332 The "instance" member is a JSON string containing a URI reference 333 that identifies the specific occurrence of the problem. 335 When the "instance" URI is dereferenceable, the problem details 336 object can be fetched from it. It might also return information 337 about the problem occurrence in other formats through use of 338 proactive content negotiation (see [HTTP], Section 12.5.1). 340 When the "instance" URI is not dereferenceable, it serves as a unique 341 identifier for the problem occurrence that may be of significance to 342 the server, but is opaque to the client. 344 When "instance" contains a relative URI, it is resolved relative to 345 the document's base URI, as per [URI], Section 5. However, using 346 relative URIs can cause confusion, and they might not be handled 347 correctly by all implementations. 349 For example, if the two resources "https://api.example.org/foo/ 350 bar/123" and "https://api.example.org/widget/456" both respond with 351 an "instance" equal to the relative URI reference "example-instance", 352 when resolved they will identify different resources 353 ("https://api.example.org/foo/bar/example-instance" and 354 "https://api.example.org/widget/example-instance" respectively). As 355 a result, it is RECOMMENDED that absolute URIs be used in "instance" 356 when possible, and that when relative URIs are used, they include the 357 full path (e.g., "/instances/123"). 359 3.2. Extension Members 361 Problem type definitions MAY extend the problem details object with 362 additional members that are specific to that problem type. 364 For example, our "out of credit" problem above defines two such 365 extensions -- "balance" and "accounts" to convey additional, problem- 366 specific information. 368 Similarly, the "validation error" example defines a "errors" 369 extension that contains a list of individual error occurrences found, 370 with details and a pointer to the location of each. 372 Clients consuming problem details MUST ignore any such extensions 373 that they don't recognize; this allows problem types to evolve and 374 include additional information in the future. 376 Future updates to this specification might define additional members 377 that are available to all problem types, distinguished by a name 378 starting with "*". To avoid conflicts, extension member names SHOULD 379 NOT start with the "*" character. 381 When creating extensions, problem type authors should choose their 382 names carefully. To be used in the XML format (see Appendix B), they 383 will need to conform to the Name rule in Section 2.3 of [XML]. To be 384 used in the HTTP field (see Section 4), they will need to conform to 385 the Dictionary key syntax defined in Section 3.2 of 386 [STRUCTURED-FIELDS]. 388 Problem type authors that wish their extensions to be usable in the 389 Problem HTTP field (see Section 4) will also need to define the 390 Structured Type(s) that their values are mapped to. 392 4. The Problem HTTP Field 394 Some problems might best be conveyed in a HTTP header or trailer 395 field, rather than in the message content. For example, when a 396 problem does not prevent a successful response from being generated, 397 or when the problem's details are useful to software that does not 398 inspect the response content. 400 The Problem HTTP field allows a limited expression of a problem 401 object in HTTP headers or trailers. It is a Dictionary Structured 402 Field (Section 3.2 of [STRUCTURED-FIELDS]) that can contain the 403 following keys, whose semantics and related requirements are 404 inherited from problem objects: 406 type: the type value (see Section 3.1.1), as a String 408 status: the status value (see Section 3.1.2), as an Integer 410 title: The title value (see Section 3.1.3), as a String 412 detail: The detail value (see Section 3.1.4), as a String 414 instance: The instance value (see Section 3.1.5), as a String 416 The title and detail values MUST NOT be serialized in the Problem 417 field if they contain characters that are not allowed by String; see 418 Section 3.3.3 of [STRUCTURED-FIELDS]. Practically, this has the 419 effect of limiting them to ASCII strings. 421 An extension member (see Section 3.2) MAY occur in the Problem field 422 if its name is compatible with the syntax of Dictionary keys (see 423 Section 3.2 of [STRUCTURED-FIELDS]) and if the defining problem type 424 specifies a Structured Type to serialize the value into. 426 For example: 428 HTTP/1.1 200 OK 429 Content-Type: application/json 430 Problem: type="https://example.net/problems/almost-out", 431 title="you're almost out of credit", credit_left=20 433 5. Defining New Problem Types 435 When an HTTP API needs to define a response that indicates an error 436 condition, it might be appropriate to do so by defining a new problem 437 type. 439 Before doing so, it's important to understand what they are good for, 440 and what's better left to other mechanisms. 442 Problem details are not a debugging tool for the underlying 443 implementation; rather, they are a way to expose greater detail about 444 the HTTP interface itself. Designers of new problem types need to 445 carefully consider the Security Considerations (Section 6), in 446 particular, the risk of exposing attack vectors by exposing 447 implementation internals through error messages. 449 Likewise, truly generic problems -- i.e., conditions that might apply 450 to any resource on the Web -- are usually better expressed as plain 451 status codes. For example, a "write access disallowed" problem is 452 probably unnecessary, since a 403 Forbidden status code in response 453 to a PUT request is self-explanatory. 455 Finally, an application might have a more appropriate way to carry an 456 error in a format that it already defines. Problem details are 457 intended to avoid the necessity of establishing new "fault" or 458 "error" document formats, not to replace existing domain-specific 459 formats. 461 That said, it is possible to add support for problem details to 462 existing HTTP APIs using HTTP content negotiation (e.g., using the 463 Accept request header to indicate a preference for this format; see 464 [HTTP], Section 12.5.1). 466 New problem type definitions MUST document: 468 1. a type URI (typically, with the "http" or "https" scheme), 469 2. a title that appropriately describes it (think short), and 471 3. the HTTP status code for it to be used with. 473 Problem type definitions MAY specify the use of the Retry-After 474 response header ([HTTP], Section 10.2.3) in appropriate 475 circumstances. 477 A problem's type URI SHOULD resolve to HTML [HTML5] documentation 478 that explains how to resolve the problem. 480 A problem type definition MAY specify additional members on the 481 problem details object. For example, an extension might use typed 482 links [WEB-LINKING] to another resource that machines can use to 483 resolve the problem. 485 If such additional members are defined, their names SHOULD start with 486 a letter (ALPHA, as per [ABNF], Appendix B.1) and SHOULD comprise 487 characters from ALPHA, DIGIT ([ABNF], Appendix B.1), and "_" (so that 488 it can be serialized in formats other than JSON), and they SHOULD be 489 three characters or longer. 491 5.1. Example 493 For example, if you are publishing an HTTP API to your online 494 shopping cart, you might need to indicate that the user is out of 495 credit (our example from above), and therefore cannot make the 496 purchase. 498 If you already have an application-specific format that can 499 accommodate this information, it's probably best to do that. 500 However, if you don't, you might use one of the problem details 501 formats -- JSON if your API is JSON-based, or XML if it uses that 502 format. 504 To do so, you might look in the registry (Section 5.2) for an 505 already-defined type URI that suits your purposes. If one is 506 available, you can reuse that URI. 508 If one isn't available, you could mint and document a new type URI 509 (which ought to be under your control and stable over time), an 510 appropriate title and the HTTP status code that it will be used with, 511 along with what it means and how it should be handled. 513 5.2. Registered Problem Types 515 This specification defines the HTTP Problem Type registry for common, 516 widely-used problem type URIs, to promote reuse. 518 The policy for this registry is Specification Required, per 519 [RFC8126], Section 4.5. 521 When evaluating requests, the Expert(s) should consider community 522 feedback, how well-defined the problem type is, and this 523 specification's requirements. Vendor-specific, application-specific, 524 and deployment-specific values are not registrable. Specification 525 documents should be published in a stable, freely available manner 526 (ideally located with a URL), but need not be standards. 528 Registrations MAY use the prefix "https://iana.org/assignments/http- 529 problem-types#" for the type URI. 531 Registration requests should use the following template: 533 * Type URI: [a URI for the problem type] 535 * Title: [a short description of the problem type] 537 * Recommended HTTP status code: [what status code is most 538 appropriate to use with the type] 540 * Reference: [to a specification defining the type] 542 See the registry at https://iana.org/assignments/http-problem-types 543 (https://iana.org/assignments/http-problem-types) for details on 544 where to send registration requests. 546 5.2.1. about:blank 548 This specification registers one Problem Type, "about:blank". 550 * Type URI: about:blank 552 * Title: See HTTP Status Code 554 * Recommended HTTP status code: N/A 556 * Reference: [this document] 558 The "about:blank" URI [ABOUT], when used as a problem type, indicates 559 that the problem has no additional semantics beyond that of the HTTP 560 status code. 562 When "about:blank" is used, the title SHOULD be the same as the 563 recommended HTTP status phrase for that code (e.g., "Not Found" for 564 404, and so on), although it MAY be localized to suit client 565 preferences (expressed with the Accept-Language request header). 567 Please note that according to how the "type" member is defined 568 (Section 3.1), the "about:blank" URI is the default value for that 569 member. Consequently, any problem details object not carrying an 570 explicit "type" member implicitly uses this URI. 572 6. Security Considerations 574 When defining a new problem type, the information included must be 575 carefully vetted. Likewise, when actually generating a problem -- 576 however it is serialized -- the details given must also be 577 scrutinized. 579 Risks include leaking information that can be exploited to compromise 580 the system, access to the system, or the privacy of users of the 581 system. 583 Generators providing links to occurrence information are encouraged 584 to avoid making implementation details such as a stack dump available 585 through the HTTP interface, since this can expose sensitive details 586 of the server implementation, its data, and so on. 588 The "status" member duplicates the information available in the HTTP 589 status code itself, bringing the possibility of disagreement between 590 the two. Their relative precedence is not clear, since a 591 disagreement might indicate that (for example) an intermediary has 592 changed the HTTP status code in transit (e.g., by a proxy or cache). 593 Generic HTTP software (such as proxies, load balancers, firewalls, 594 and virus scanners) are unlikely to know of or respect the status 595 code conveyed in this member. 597 7. IANA Considerations 599 Please update the "application/problem+json" and "application/ 600 problem+xml" registrations in the "Media Types" registry to refer to 601 this document. 603 Please create the "HTTP Problem Types Registry" as specified in 604 Section 5.2, and populate it with "about:blank" as per Section 5.2.1. 606 Please register the following entry into the "Hypertext Transfer 607 Protocol (HTTP) Field Name Registry": 609 Field Name: Problem 611 Status: Permanent 613 Reference: RFC nnnn 615 8. References 617 8.1. Normative References 619 [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 620 Specifications: ABNF", STD 68, RFC 5234, 621 DOI 10.17487/RFC5234, January 2008, 622 . 624 [HTTP] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP 625 Semantics", Work in Progress, Internet-Draft, draft-ietf- 626 httpbis-semantics-19, 12 September 2021, 627 . 630 [JSON] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 631 Interchange Format", STD 90, RFC 8259, 632 DOI 10.17487/RFC8259, December 2017, 633 . 635 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 636 Requirement Levels", BCP 14, RFC 2119, 637 DOI 10.17487/RFC2119, March 1997, 638 . 640 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 641 Writing an IANA Considerations Section in RFCs", BCP 26, 642 RFC 8126, DOI 10.17487/RFC8126, June 2017, 643 . 645 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 646 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 647 May 2017, . 649 [STRUCTURED-FIELDS] 650 Nottingham, M. and P-H. Kamp, "Structured Field Values for 651 HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021, 652 . 654 [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 655 Resource Identifier (URI): Generic Syntax", STD 66, 656 RFC 3986, DOI 10.17487/RFC3986, January 2005, 657 . 659 [XML] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and 660 F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth 661 Edition)", World Wide Web Consortium Recommendation REC- 662 xml-20081126, 26 November 2008, 663 . 665 8.2. Informative References 667 [ABOUT] Moonesamy, S., Ed., "The "about" URI Scheme", RFC 6694, 668 DOI 10.17487/RFC6694, August 2012, 669 . 671 [HTML5] WHATWG, "HTML - Living Standard", n.d., 672 . 674 [ISO-19757-2] 675 International Organization for Standardization, 676 "Information Technology -- Document Schema Definition 677 Languages (DSDL) -- Part 2: Grammar-based Validation -- 678 RELAX NG", ISO/IEC 19757-2, 2003. 680 [JSON-POINTER] 681 Bryan, P., Ed., Zyp, K., and M. Nottingham, Ed., 682 "JavaScript Object Notation (JSON) Pointer", RFC 6901, 683 DOI 10.17487/RFC6901, April 2013, 684 . 686 [JSON-SCHEMA] 687 Wright, A., Andrews, H., Hutton, B., and G. Dennis, "JSON 688 Schema: A Media Type for Describing JSON Documents", Work 689 in Progress, Internet-Draft, draft-bhutton-json-schema-00, 690 8 December 2020, . 693 [RDFA] Adida, B., Birbeck, M., McCarron, S., and I. Herman, "RDFa 694 Core 1.1 - Third Edition", World Wide Web Consortium 695 Recommendation REC-rdfa-core-20150317, 17 March 2015, 696 . 698 [TAG] Kindberg, T. and S. Hawke, "The 'tag' URI Scheme", 699 RFC 4151, DOI 10.17487/RFC4151, October 2005, 700 . 702 [WEB-LINKING] 703 Nottingham, M., "Web Linking", RFC 8288, 704 DOI 10.17487/RFC8288, October 2017, 705 . 707 [XSLT] Clark, J., Pieters, S., and H. Thompson, "Associating 708 Style Sheets with XML documents 1.0 (Second Edition)", 709 World Wide Web Consortium Recommendation REC-xml- 710 stylesheet-20101028, 28 October 2010, 711 . 713 Appendix A. JSON Schema for HTTP Problems 715 This section presents a non-normative JSON Schema [JSON-SCHEMA] for 716 HTTP Problem Details. If there is any disagreement between it and 717 the text of the specification, the latter prevails. 719 # NOTE: '\' line wrapping per RFC 8792 720 { 721 "$schema": "https://json-schema.org/draft/2020-12/schema", 722 "title": "A problem object RFC 7807bis", 723 "type": "object", 724 "properties": { 725 "type": { 726 "type": "string", 727 "format": "uri-reference", 728 "description": "A URI reference RFC3986 that identifies the \ 729 problem type." 730 }, 731 "title": { 732 "type": "string", 733 "description": "A short, human-readable summary of the \ 734 problem type. It SHOULD NOT change from occurrence to occurrence \ 735 of the problem, except for purposes of localization (e.g., using \ 736 proactive content negotiation; see RFC7231, Section 3.4)" 737 }, 738 "status": { 739 "type": "integer", 740 "description": "The HTTP status code (RFC7231, Section 6) \ 741 generated by the origin server for this occurrence of the problem.", 742 "minimum": 100, 743 "maximum": 599 744 }, 745 "detail": { 746 "type": "string", 747 "description": "A human-readable explanation specific to \ 748 this occurrence of the problem." 749 }, 750 "instance": { 751 "type": "string", 752 "format": "uri-reference", 753 "description": "A URI reference that identifies the \ 754 specific occurrence of the problem. It may or may not yield \ 755 further information if dereferenced." 756 } 757 } 758 } 760 Appendix B. HTTP Problems and XML 762 HTTP-based APIs that use XML [XML] can express problem details using 763 the format defined in this appendix. 765 The RELAX NG schema [ISO-19757-2] for the XML format is: 767 default namespace ns = "urn:ietf:rfc:7807" 769 start = problem 771 problem = 772 element problem { 773 ( element type { xsd:anyURI }? 774 & element title { xsd:string }? 775 & element detail { xsd:string }? 776 & element status { xsd:positiveInteger }? 777 & element instance { xsd:anyURI }? ), 778 anyNsElement 779 } 781 anyNsElement = 782 ( element ns:* { anyNsElement | text } 783 | attribute * { text })* 785 Note that this schema is only intended as documentation, and not as a 786 normative schema that captures all constraints of the XML format. It 787 is possible to use other XML schema languages to define a similar set 788 of constraints (depending on the features of the chosen schema 789 language). 791 The media type for this format is "application/problem+xml". 793 Extension arrays and objects are serialized into the XML format by 794 considering an element containing a child or children to represent an 795 object, except for elements that contain only child element(s) named 796 'i', which are considered arrays. For example, the example above 797 appears in XML as follows: 799 HTTP/1.1 403 Forbidden 800 Content-Type: application/problem+xml 801 Content-Language: en 803 804 805 https://example.com/probs/out-of-credit 806 You do not have enough credit. 807 Your current balance is 30, but that costs 50. 808 https://example.net/account/12345/msgs/abc 809 30 810 811 https://example.net/account/12345 812 https://example.net/account/67890 813 814 815 This format uses an XML namespace, primarily to allow embedding it 816 into other XML-based formats; it does not imply that it can or should 817 be extended with elements or attributes in other namespaces. The 818 RELAX NG schema explicitly only allows elements from the one 819 namespace used in the XML format. Any extension arrays and objects 820 MUST be serialized into XML markup using only that namespace. 822 When using the XML format, it is possible to embed an XML processing 823 instruction in the XML that instructs clients to transform the XML, 824 using the referenced XSLT code [XSLT]. If this code is transforming 825 the XML into (X)HTML, then it is possible to serve the XML format, 826 and yet have clients capable of performing the transformation display 827 human-friendly (X)HTML that is rendered and displayed at the client. 828 Note that when using this method, it is advisable to use XSLT 1.0 in 829 order to maximize the number of clients capable of executing the XSLT 830 code. 832 Appendix C. Using Problem Details with Other Formats 834 In some situations, it can be advantageous to embed problem details 835 in formats other than those described here. For example, an API that 836 uses HTML [HTML5] might want to also use HTML for expressing its 837 problem details. 839 Problem details can be embedded in other formats either by 840 encapsulating one of the existing serializations (JSON or XML) into 841 that format or by translating the model of a problem detail (as 842 specified in Section 3) into the format's conventions. 844 For example, in HTML, a problem could be embedded by encapsulating 845 JSON in a script tag: 847 859 or by inventing a mapping into RDFa [RDFA]. 861 This specification does not make specific recommendations regarding 862 embedding problem details in other formats; the appropriate way to 863 embed them depends both upon the format in use and application of 864 that format. 866 Acknowledgements 868 The authors would like to thank Jan Algermissen, Subbu Allamaraju, 869 Mike Amundsen, Roy Fielding, Eran Hammer, Sam Johnston, Mike McCall, 870 Julian Reschke, and James Snell for review of this specification. 872 Authors' Addresses 874 Mark Nottingham 875 Prahran 876 Australia 877 Email: mnot@mnot.net 878 URI: https://www.mnot.net/ 880 Erik Wilde 881 Email: erik.wilde@dret.net 882 URI: http://dret.net/netdret/ 884 Sanjay Dalal 885 United States of America 886 Email: sanjay.dalal@cal.berkeley.edu 887 URI: https://github.com/sdatspun2