Skip to content

Differentiate between 401 and 403 responses and provide www-authenticate headers

Currently all auth-related issues result in a 401 Unauthorized response, which is probably wrong. I think we want this:

  • no credentials at all is 401 Unauthorized
  • bad credentials (X.509 not in grid-mapfile, or token doesn't validate) is 403 Forbidden

Additionally, with a 401 response we should provide a WWW-Authenticate: Bearer response header to direct the user to obtain a bearer token before trying again.