Return WWW-Authenticate HTTP response header for access token problems

[jpraet]

Shouldn't these problem responses contain a WWW-Authenticate HTTP response header?

• https://www.belgif.be/specification/rest/api-guide/#no-access-token
• https://www.belgif.be/specification/rest/api-guide/#invalid-access-token
• https://www.belgif.be/specification/rest/api-guide/#expired-access-token
• https://www.belgif.be/specification/rest/api-guide/#missing-scope

See https://www.rfc-editor.org/rfc/rfc6750#section-3

If the protected resource request does not include authentication credentials or does not contain an access token that enables access to the protected resource, the resource server MUST include the HTTP "WWW-Authenticate" response header field;

[pvdbosch]

Yes I guess they should. We could add it to the example and also refer to it in the problem type description, referring to the OAuth2 spec for further info.

[pvdbosch]

OK to update REST WG with this, PR to be created