WWW-Authenticate header

When requests are unauthorized, it might help clients understand what was wrong if nginx-jwt were to send back a WWW-Authenticate header. This seems to be a pretty standard thing, and is mandatory for implementors of OAuth 2.0 Bearer tokens[1]. From the spec:

If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field

Users of the nginx the nginx auth_basic module get this for free, and might be surprised that nginx-jwt does not do this too.

Thank you for nginx-jwt!

[1] https://tools.ietf.org/html/rfc6750#section-3

[twistedstream]

@yeungda-rea: You are absolutely right. I think all we'd need to do is send back this response header:

WWW-Authenticate: Bearer

Would you agree?

[roryrjb]

+1

[platinummonkey]

I'm not sure what's going on over at auth0 preventing responsiveness, but I decided to fork nginx-jwt over here: https://github.com/platinummonkey/nginx-jwt I'm currently merging in a number of these issue fixes, and will be setting up CI as well.

[roryrjb]

@platinummonkey yeah was tempted to do the same thing. 👍