In https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07 section
5.2.3 (The WWW-Authenticate Response Header Field):
All challenges for this token type MUST use the auth-scheme value
Bearer. This scheme MUST be followed by one or more auth-param
values.
Why is at least one auth-param required? It makes
WWW-Authenticate: Bearer
in response to a request lacking any authentication information (thus
without an error auth-param attribute) non-compliant. The optional scope
attribute is not useful in this case. The optional realm attribute may not
be necessary (e.g. if there is only one realm). So to be compliant, you
would have to add a non-meaningful auth-param like foo=bar.
Note: While in rfc2617 (
https://datatracker.ietf.org/doc/html/rfc2617#section-1.2) challenge was
defined as
challenge = auth-scheme 1*SP 1#auth-param
(requiring at least one auth-param), rfc9110 (
https://www.rfc-editor.org/rfc/rfc9110#section-11.3) does not have this
requirement:
challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ]
--
Johannes Koch
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
