Missing Bearer auth in the WWW-Authenticate header #48541
Description
When hitting DAV endpoints :
curl -v https://xxx.org/remote.php/dav
The returned WWW-Authenticate doesnt contain Bearer scheme
`
< HTTP/1.1 401 Unauthorized
< Date: Sun, 08 Sep 2024 13:15:07 GMT
< Server: Apache
< Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Permitted-Cross-Domain-Policies: none
< X-Robots-Tag: noindex, nofollow
< X-XSS-Protection: 1; mode=block
< X-Powered-By: PHP/8.2.20
< Set-Cookie: 5274cafd68046=ebo7obcaaeka0hbnf9n912cj3n; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: oc_sessionPassphrase=yPekSuZlf2In%2BZWzmnDMlTIE4MGmUF23Coax4k8xncxNnvQ71hwUD%2FRaQ9D0dlZFRDFleXEZrttF2gt%2B9mF%2FmWYPL9x9IsSEQ1T2WFFCqynzOwkrdmpzH9S%2FkAL8eaxK; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: 5274cafd68046=ebo7obcaaeka0hbnf9n912cj3n; path=/; secure; HttpOnly; SameSite=Lax
< Content-Security-Policy: default-src 'none';
< Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
< Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
< Set-Cookie: 5274cafd68046=ebo7obcaaeka0hbnf9n912cj3n; path=/; secure; HttpOnly; SameSite=Lax
< WWW-Authenticate: Basic realm="Nextcloud", charset="UTF-8"
< Content-Length: 557
< Content-Type: application/xml; charset=utf-8
`
See :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate and
https://datatracker.ietf.org/doc/html/rfc6750#section-3
This breaks the Roundcube Carddav integration and probably other clients as well.
Clients like https://github.com/mstilkerich/carddavclient/blob/master/src/HttpClientAdapterGuzzle.php breaks.
(See getSupportedAuthSchemes function).
Activity