WWW-Authenticate header not present when Kong and plugins return HTTP status 401

[chienhsingwu]

Summary

• Kong version ($ kong version) - 2.4.1
  According to the HTTP specification for 401 error, https://httpwg.org/specs/rfc7235.html#status.401, WWW-Authenticate header field containing at least one challenge applicable to the target resource must be returned in the response.

At least the following plugins were observed to not returning the header when returning 401.

1. basic-auth
2. key-auth
3. ldap-auth
4. jwt

For Oauth2 related plugins oauth2 and jwt, below are additional requirements from the related RFCs. They further define what needs to be included in the WWW-Authenticate header.

1. https://datatracker.ietf.org/doc/html/rfc6750#section-3
2. https://datatracker.ietf.org/doc/html/rfc6749#section-5.2

Steps To Reproduce

Exercise any unit tests of those plugins that would return 401 error and add an assertion in those test to detect the header, the assertion would fail.

For example in jwt pluging 03_acces_spec.lua, add the LAST assertion and execute the test, it will fail.

describe("refusals", function()
  it("returns 401 Unauthorized if no JWT is found in the request", function()
    local res = assert(proxy_client:send {
      method  = "GET",
      path    = "/request",
      headers = {
        ["Host"] = "jwt1.com",
      }
    })
    assert.res_status(401, res)
    assert.not_nil(body.headers["WWW-Authenticate"])
  end)

[kikito]

Thank you for reporting this, I consider it a bug, we will add it to our internal tracking system

[kikito]

Internal tracking: KAG-1063

[StarlightIbuki]

Dear contributor,
We're closing this issue as there hasn't been any update to it for a long time. If the issue is still relevant in the latest version, please feel free to reopen it. We're more than happy to revisit it again. Your contribution is greatly appreciated!
Please have a look at our pledge to the community for more information.
Sincerely,
Kong Gateway Team