When using the Basic auth scheme with various OAuth endpoints in FusionAuth, FusionAuth will always respond with the WWW-Authenticate response header, even when the status code is not 401.
While required when returning a 401, the spec seems to allow this for other status codes, but it isn't entirely clear and perhaps we are doing it incorrectly.
A server MAY generate a WWW-Authenticate header field in other response
messages to indicate that supplying credentials (or different
credentials) might affect the response.
If we read "other response messages" to mean a response with a status code other than 401 then we are in theory within the spec.
Regardless if this is allowed, it is possible a client - in response to the presence of this header prompt the user to login even if the status code was not 401 so we may need to revisit this behavior.
What happened?
When using the
Basicauth scheme with various OAuth endpoints in FusionAuth, FusionAuth will always respond with theWWW-Authenticateresponse header, even when the status code is not401.While required when returning a
401, the spec seems to allow this for other status codes, but it isn't entirely clear and perhaps we are doing it incorrectly.See Section 4.1 of RFC 7235.
Here is the relevant copy in the RFC.
If we read "other response messages" to mean a response with a status code other than
401then we are in theory within the spec.Regardless if this is allowed, it is possible a client - in response to the presence of this header prompt the user to login even if the status code was not
401so we may need to revisit this behavior.One example is next-auth, see:
Version
1.48.0
Affects Versions
No response