Respond with authentication scheme when client authentication fails

[jgrandja]

As per section 3.2.3.1. Error Response:

"invalid_client": Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.

We should respond with the required authentication scheme when a client fails authentication.

[octopusthu]

Hi @jgrandja , the latest version of OAuth 2.1 is draft-ietf-oauth-v2-1-04, so perhaps you could update the link address in the original post to this: 3.2.3.1. Error Response

[Enkosz]

Hi @jgrandja i can work on it, in which version is it planned? Thank you!

[jgrandja]

Thanks for your interest @Enkosz. This enhancement hasn't been planned for a specific release since it's lower priority.

However, if you would like to work on it we can schedule it whenever it is done.