WWW-Authenticate response adds wrong format with comma

[JonathanHuot]

Describe the bug

Since 3.0.0 oauthlib returns 401 with WWW-Authenticate HTTP header. The field is currently not defining the realm= option, but it looks OK for the Bearer Token RFC. However, I didn't find any concrete examples of syntax when realm is not present, and if we have to add a comma or not.

Example it's either:
WWW-Authenticate: Bearer, error=access_denied, error_description=foobar
or
WWW-Authenticate: Bearer error=access_denied, error_description=foobar

In 3.0.x, we are sending the former WITH the comma after Bearer.

How to reproduce

Execute raise errors.InvalidTokenError() in your RequestValidator.

Expected behavior

I saw a couple of providers which are sending a comma after the Bearer keyword. I think we must do the same.

Additional context

Please provide any further context here.

• Using server code with bottle-oauthlib declaring a OAuth2 ResourceServer

[Abhishek8394]

1. There should not be a comma immediately after Bearer as that is incomplete. Bearer expects some more data like; realm for example. Below is an example from RFC 6750 section 3 Intro end.

HTTP/1.1 401 Unauthorized
     WWW-Authenticate: Bearer realm="example",
                       error="invalid_token",
                       error_description="The access token expired"

2. realm is optional, given you use some other option. As per RFC 2617 Section 3.2.1 the first field so to speak is <challenge-name> <challenge>.
   So we can have Bearer nonce="somenonce" instead of realm. But something has to be there, it cannot be blank.

[JonathanHuot]

So basically it means that the preferred approach would be to add the realm (or any other "challenge") as a parameter of the oauthlib Server/Endpoint ?
I think it makes sense.

[Abhishek8394]

Yes, a challenge must be added. It would be nice if challenge is configurable and has hooks, for composing challenges and verifying them.

[freeman1981]

Hello!
Sorry for my English (google translate helps me).
I use django-oauth-toolkit as an authorization server, and mozilla-django-oidc as a client and resource server.

The client crashes because of the "Barrier," (coma after Barrier) - I had to make a crutch in the client - something like
headers ['www-authenticate'] = headers ['www-authenticate']. Replace ('Bearer,', 'Bearer', 1).

Looked specs nowhere did I see a comma as mentioned by @Abhishek8394. Additionally looked here.

I suggest removing the comma after the Barrier.

[Abhishek8394]

The comma here is a delimiter. I mentioned that it should not be
Bearer, but Bearer key=value and then comma if more key value pairs
need to be added.
The client should not send Bearer, either. Does it fail for you if you
use the correct form?

[freeman1981]

If I use correct form - everythink OK) As I mentioned before I use crutch headers ['www-authenticate'] = headers ['www-authenticate']. Replace ('Bearer,', 'Bearer', 1) ))

For example Bearer, foo=bar, spam="egg" become in my client (mozila-django-oidc) Bearer foo=bar, spam="egg"

I have some questions for mozila-django-oidc - but its another story)

from mozilla_django_oidc.utils import parse_www_authenticate_header
parse_www_authenticate_header('Bearer, foo=bar, spam="egg 42"')
Traceback (most recent call last):
  File "<input>", line 1, in <module>
  File "/usr/local/lib/python3.10/site-packages/mozilla_django_oidc/utils.py", line 20, in parse_www_authenticate_header
    return parse_keqv_list(items)
  File "/usr/local/lib/python3.10/urllib/request.py", line 1425, in parse_keqv_list
    k, v = elt.split('=', 1)
ValueError: not enough values to unpack (expected 2, got 1)
parse_www_authenticate_header('Bearer foo=bar, spam="egg 42"')
{'Bearer foo': 'bar', 'spam': 'egg 42'}

[auvipy]

ok