WWW-Authenticate header is not included for access denied errors

[rjmackay]

WWW-Authenticate header is only included by OAuthServerException for invalid_client errors. I think it should be included for other errors, at least for access denied errors from the resource server.

RFC 6749, section 5.2.: (quoted in the code comments)

"If the client attempted to authenticate via the 'Authorization' request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.