client_secret_basic authentication failures should return challenge

[jgrandja]

As per section 3.2.3.1. Error Response:

"invalid_client": Client authentication failed (e.g., unknown
client, no client authentication included, or unsupported
authentication method). The authorization server MAY return an
HTTP 401 (Unauthorized) status code to indicate which HTTP
authentication schemes are supported. If the client attempted
to authenticate via the "Authorization" request header field,
the authorization server MUST respond with an HTTP 401
(Unauthorized) status code and include the "WWW-Authenticate"
response header field matching the authentication scheme used
by the client.

We should respond with the required authentication scheme when a client fails authentication.

[octopusthu]

Hi @jgrandja , the latest version of OAuth 2.1 is draft-ietf-oauth-v2-1-04, so perhaps you could update the link address in the original post to this: 3.2.3.1. Error Response

[Enkosz]

Hi @jgrandja i can work on it, in which version is it planned? Thank you!

[jgrandja]

Thanks for your interest @Enkosz. This enhancement hasn't been planned for a specific release since it's lower priority.

However, if you would like to work on it we can schedule it whenever it is done.