echo
echo copied to clipboard
labstack
Add `WWW-Authenticate` header for JWT auth.
Issue Description
According to RFC JWT token authorization have to return WWW-Authenticate header, but actually don't do it.
RFC doc: https://tools.ietf.org/html/rfc7235#section-4.1 .
- [yes] Searched existing issues and docs
Expected behaviour
return header like: %% Bearer realm="oauth2-resource", error="invalid_token", error_description="Access token expired: invalid_token” %%
Actual behaviour
From curl -v -k response for invalid header is: %%
- Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < Content-Type: application/json; charset=UTF-8 < Date: Mon, 20 Apr 2020 19:44:47 GMT < Content-Length: 37 < {"message":"invalid or expired jwt"}
- Connection #0 to host localhost left intact %%
Steps to reproduce
Just set JWTConfig and try to send invalid token.
Version/commit
4.1.10
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Do you know any sample frameworks that also implement this functionality? I would like to investigate how necessary it is.
@melonaerial At least for me, I like to be complaint with the RFC, so if you want to submit a PR adding that I'll appreciate it. @iambenkay After some digging I found some pieces of code that uses www-authenticate (not related to JWT, it's a Bearear Auth). Besides of that, per RFC, is the place to go to find which was the error. Here is an example using it to refresh the token with missing scopes https://github.com/google/go-containerregistry/pull/846/files#diff-9a4291d8f00bdefdab7d5d582b5392edd3e686a511e94b0f1beeb5a1eda4956d
Here is a Gin middleware that returns www-authenticate https://github.com/appleboy/gin-jwt/blob/1b8cb3213b4c159bf61a073f7778c0c711f6d6cc/auth_jwt.go#L733
