Skip to content

Additional WWW-Authenticate Response Information #16977

New issue
New issue
Closed
Closed
Additional WWW-Authenticate Response Information#16977
Assignees
jzheaux
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: duplicateA duplicate of another issuetype: enhancementA general enhancement
@danielshiplett

Description

@danielshiplett
danielshiplett
opened on Apr 21, 2025

The Problem

We recently had an application request fail to provide any bearer token in the Authorization header. They received a 401 as expected. However, the www-authenticate response header only had the word Bearer in the value. This made it difficult to debug as it implied that they were sending a bearer token when they weren't.

The Request

I suggest an improvement in Spring Security to add an error message such as missing_token or some other similar value to help identify the root problem.

This PR contains a test case that will pass when the additional error message is provided.

I am willing to provide a fix for this as well. However, I don't know where in Spring Security to implement such a fix. I know about BearerTokenAuthenticationEntryPoint where other bearer token related errors have their details added. However, that doesn't feel right in this case because we aren't 100% guaranteed the intent of the request was to provide a bearer token (some other form of Authorization may be supported along with OAuth2 Resource Server).

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)status: duplicateA duplicate of another issuetype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions