Incorrect parameter delimiter in JWT plugin `WWW-Authenticate` header

### Is there an existing issue for this?

- [x] I have searched the existing issues

### Kong version (`$ kong version`)

3.9

### Description

I noticed that the `WWW-Authenticate` header in JWT plugin uses spaces to separate parameters.
https://github.com/Kong/kong/blob/ed117a6fe801a80ddaa07b5af30ed4c5daabf241/kong/plugins/jwt/handler.lua#L161

According to RFC 7235 (HTTP Authentication) ([Section 4.1](https://datatracker.ietf.org/doc/html/rfc7235#section-4.1)), the parameters in authentication headers should be comma-delimited. 

> ... and each challenge can contain a comma-separated list of authentication parameters.

The correct format should be:
`WWW-Authenticate: Bearer realm="auth-server", error="invalid_token"  `
(Note the comma , between realm and error parameters.)

If I misunderstood the RFC’s requirements for header formatting, kindly clarify or correct me.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Incorrect parameter delimiter in JWT plugin `WWW-Authenticate` header #14429

Is there an existing issue for this?

Kong version (`$ kong version`)

Description

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Incorrect parameter delimiter in JWT plugin WWW-Authenticate header #14429

Description

Is there an existing issue for this?

Kong version ($ kong version)

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

Incorrect parameter delimiter in JWT plugin `WWW-Authenticate` header #14429

Kong version (`$ kong version`)