WWW-Authenticate is missing for expired access tokens


I’ve running a web service with Yii2 which uses HttpBearerAuth for authentication. The web service uses time-limited access tokens.

I’ve noticed two different behaviors:


[*]If for the first request no access token is given in the HTTP request, Yii2 returns 401 including the WWW-Authenticate challenge

[*]Later, if for any further request an access token is given, which does not exist anymore (because it is invalid or has expired), Yii2 returns 401 without the WWW-Authenticate challenge


According the AuthMethod base class, this is currently the way Yii2 implements the bearer authentication, the challenge method is only called in case of empty access tokens. But in my understanding of the OAuth 2.0 RFC, a web service should always return WWW-Authenticate in case a protected resource cannot be accessed, see section 3 of the RFC:

Now is this a bug in Yii2 or is it normal behavior and I should modify my clients to support 401 authentication errors without any challenges based on expired access tokes?

Kind regards