belgif / rest-guide

REST Guidelines of Belgian government institutions
https://www.belgif.be/specification/rest/api-guide/
Apache License 2.0
25 stars 4 forks source link

Return WWW-Authenticate HTTP response header for access token problems #204

Open jpraet opened 1 week ago

jpraet commented 1 week ago

Shouldn't these problem responses contain a WWW-Authenticate HTTP response header?

See https://www.rfc-editor.org/rfc/rfc6750#section-3

If the protected resource request does not include authentication credentials or does not contain an access token that enables access to the protected resource, the resource server MUST include the HTTP "WWW-Authenticate" response header field;

pvdbosch commented 1 week ago

Yes I guess they should. We could add it to the example and also refer to it in the problem type description, referring to the OAuth2 spec for further info.