kong icon indicating copy to clipboard operation
kong copied to clipboard

Published 20 hours ago verified publisher icon Kong

fix(jwt): add missing www-authenticate headers

Open nowNick opened this issue 1 year ago • 1 comments

Summary

When kong returns 401 Unauthorized response it should return WWW-Authenticate header with proper challenge. JWT auth was missing this header.

Related PRs:

  • https://github.com/Kong/kong/pull/11791
  • https://github.com/Kong/kong/pull/11794
  • https://github.com/Kong/kong/pull/11795
  • https://github.com/Kong/kong/pull/11820
  • https://github.com/Kong/kong/pull/11833

RFCs & Materials

  • https://httpwg.org/specs/rfc7235.html#status.401
  • https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate

Checklist

  • [x] The Pull Request has tests
  • [x] A changelog file has been created under changelog/unreleased/kong or skip-changelog label added on PR if changelog is unnecessary. README.md
  • [x] N/A ~~There is a user-facing docs PR against https://github.com/Kong/docs.konghq.com - PUT DOCS PR HERE~~

Full changelog

  • add WWW-Authenticate headxer to jwt 401 response

Issue reference

  • Fix #7772
  • KAG-321

nowNick avatar Oct 19 '23 10:10 nowNick

Should we also be setting realm and/or the error in the www-authenticate header? Example:

     WWW-Authenticate: Bearer realm="example",
                       error="invalid_token",
                       error_description="The access token expired"

brentos avatar Oct 24 '23 18:10 brentos