Skip to content
This repository was archived by the owner on Feb 14, 2018. It is now read-only.

WWW-Authenticate header #43

Open
ghost opened this issue Oct 27, 2015 · 4 comments
Open

WWW-Authenticate header #43

ghost opened this issue Oct 27, 2015 · 4 comments

Comments

@ghost
Copy link

ghost commented Oct 27, 2015

When requests are unauthorized, it might help clients understand what was wrong if nginx-jwt were to send back a WWW-Authenticate header. This seems to be a pretty standard thing, and is mandatory for implementors of OAuth 2.0 Bearer tokens[1]. From the spec:

If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field

Users of the nginx the nginx auth_basic module get this for free, and might be surprised that nginx-jwt does not do this too.

Thank you for nginx-jwt!

[1] https://tools.ietf.org/html/rfc6750#section-3

@twistedstream
Copy link
Contributor

@yeungda-rea: You are absolutely right. I think all we'd need to do is send back this response header:

WWW-Authenticate: Bearer

Would you agree?

@roryrjb
Copy link

roryrjb commented Jan 8, 2016

+1

@platinummonkey
Copy link
Contributor

I'm not sure what's going on over at auth0 preventing responsiveness, but I decided to fork nginx-jwt over here: https://github.com/platinummonkey/nginx-jwt I'm currently merging in a number of these issue fixes, and will be setting up CI as well.

@roryrjb
Copy link

roryrjb commented Jan 11, 2016

@platinummonkey yeah was tempted to do the same thing. 👍

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants