Include WWW-Authenticate header for bearer token unauthorized responses

[andriy-dmytruk]

Feature description

Per rfc6750#section-3:

If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field; it MAY include it in
response to other conditions as well.

For example, in response to a protected resource request with an authentication attempt using an expired access token:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example",
                  error="invalid_token",
                  error_description="The access token expired"

I see there is right error handling implemented for OAuth2 flows per rfc6749, but not particularly for Bearer token usage to access resources.