If token authentication fails should set WWW-Authenticate header

[luckv]

When the autentication for get a resource fails (so only when checking the Authorization header), the RFC 6750 says that a WWW-Authenticate header must be set in the response. This library doesn't do this. It's a wanted behaviour or a forgotten functionality to implement? Because I have seen some closed issues related to versions 1.x and 2.x, but then no one talked about it and it has not been implemented yet. Thank you all, you are doing a great work anyway.

[luckv]

Errors

Properties related to oauth protocol flow

• code, status, statusCode. The associated status code of the response
• name. Intended to be used as the error parameter as described by RFC 6749 in Section 4.1.2.1, Section 4.2.2.1 and Section 5.2, as well as Section 3.1 of RFC 6750.
• message. Intended to be used as the error_description parameter as described by RFC 6749 in Section 4.1.2.1, Section 4.2.2.1 and Section 5.2, as well as Section 3.1 of RFC 6750.

The instance of the errors described below are referred as e inside each section

InvalidRequestError

Section 4.2.2.1 of RFC 6749 and Section 3.1 of RFC 6750

Status code SHOULD be 400 (Bad request)
Header WWW-Authenticate MUST be Bearer realm="Service",error="invalid_request"
Header WWW-Authenticate SHOULD be Bearer realm="Service",error="invalid_request",error_description="e.message"

InvalidTokenError

Section 4.2.2.1 of RFC 6749 and Section 3.1 of RFC 6750

Status code SHOULD be 401 (Unauthorized)
Header WWW-Authenticate MUST be Bearer realm="Service",error="invalid_token"
Header WWW-Authenticate SHOULD be Bearer realm="Service",error="invalid_token",error_description="e.message"

InsufficientScopeError

Status code SHOULD be 403 (Forbidded)
Header WWW-Authenticate MUST be Bearer realm="Service",error="insufficient_scope"
Header WWW-Authenticate SHOULD be Bearer realm="Service",error="invalid_token",error_description="e.message",scope="<scope/s necessary to access the resource>"

UnauthorizedRequestError

Section 3.1 of RFC 6750

Status code SHOULD be 401 (Unauthorized)
Header WWW-Authenticate MUST be Bearer realm="Service"
No body in the response

---

I created a pull request with the code to write headers #555

[luckv]

Any news?