Only add `WWW-Authenticate` when returning `401` when using `Authentication: Basic` scheme

[robotdan]

What happened?

When using the Basic auth scheme with various OAuth endpoints in FusionAuth, FusionAuth will always respond with the WWW-Authenticate response header, even when the status code is not 401.

While required when returning a 401, the spec seems to allow this for other status codes, but it isn't entirely clear and perhaps we are doing it incorrectly.

See Section 4.1 of RFC 7235.

• https://datatracker.ietf.org/doc/html/rfc7235#section-4.1

Here is the relevant copy in the RFC.

A server MAY generate a WWW-Authenticate header field in other response
messages to indicate that supplying credentials (or different
credentials) might affect the response.

If we read "other response messages" to mean a response with a status code other than 401 then we are in theory within the spec.

Regardless if this is allowed, it is possible a client - in response to the presence of this header prompt the user to login even if the status code was not 401 so we may need to revisit this behavior.

One example is next-auth, see:

• FusionAuth - Handle www-authenticate challenges as needed nextauthjs/next-auth#8745 (comment)

Version

1.48.0

Affects Versions

No response