Yii Framework Forum: WWW-Authenticate is missing for expired access tokens - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

WWW-Authenticate is missing for expired access tokens

#1 User is offline   karlkoch 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 12
  • Joined: 10-September 14

Posted 10 January 2018 - 06:12 AM

Hi,

I've running a web service with Yii2 which uses HttpBearerAuth for authentication. The web service uses time-limited access tokens.

I've noticed two different behaviors:
  • If for the first request no access token is given in the HTTP request, Yii2 returns 401 including the WWW-Authenticate challenge
  • Later, if for any further request an access token is given, which does not exist anymore (because it is invalid or has expired), Yii2 returns 401 without the WWW-Authenticate challenge

According the AuthMethod base class, this is currently the way Yii2 implements the bearer authentication, the challenge method is only called in case of empty access tokens. But in my understanding of the OAuth 2.0 RFC, a web service should always return WWW-Authenticate in case a protected resource cannot be accessed, see section 3 of the RFC:

Quote

If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field;

Now is this a bug in Yii2 or is it normal behavior and I should modify my clients to support 401 authentication errors without any challenges based on expired access tokes?

Kind regards
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users