401, 403 and WWW-Authenticate header in oauth2 responses

[chenjianjx]

Missing token/ token invalid / token expired: should use 401 + WWW-Authenticate header , not 400 . And in this case the frontend should do a login.

Insufficient scope: should use 403 + WWW-Authenticate header. In this case the frontend should not do a login

A good discussion can be found here: https://github.com/bshaffer/oauth2-server-php/issues/143

Things that should be changed

• Backend code that write response
• Documentation about frontend code in readme.md