Conversation
- Update documentation to explain that the middleware sets a WWW-Authenticate header with the Bearer scheme on 401 responses, in compliance with RFC 6750 and RFC 7235 - Fix WWW-Authenticate header value to use Bearer instead of JWT for unauthorized responses - Adjust related tests to expect Bearer in the WWW-Authenticate header - Clarify standard compliance in code comments and documentation in all language versions fix #273 Signed-off-by: appleboy <appleboy.tw@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR fixes the WWW-Authenticate header to use the RFC-compliant "Bearer" scheme instead of the non-standard "JWT" scheme for 401 Unauthorized responses. The change ensures compatibility with standard HTTP authentication frameworks and aligns with RFC 6750 (OAuth 2.0 Bearer Token Usage) and RFC 7235 (HTTP Authentication).
- Changed the WWW-Authenticate header value from "JWT" to "Bearer" in the unauthorized handler
- Updated all test cases to expect the correct "Bearer" scheme
- Added comprehensive documentation explaining the RFC compliance and standard behavior
- Reformatted configuration tables in README files for improved readability
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| auth_jwt.go | Updated unauthorized function to set WWW-Authenticate header with "Bearer" scheme and added detailed RFC compliance documentation |
| auth_jwt_test.go | Updated all test expectations from "JWT realm" to "Bearer realm" across 7 test cases covering various authorization failure scenarios |
| README.md | Added documentation note explaining WWW-Authenticate header behavior with RFC references and reformatted configuration table |
| README.zh-CN.md | Added Chinese documentation note explaining WWW-Authenticate header behavior with RFC references and reformatted configuration table |
| README.zh-TW.md | Added Traditional Chinese documentation note explaining WWW-Authenticate header behavior with RFC references and reformatted configuration table |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| 将认证通过的用户数据转为 `MapClaims`(map[string]any),必须包含 `IdentityKey`(默认 `"identity"`)。 | ||
|
|
||
| **标准 JWT Claims(RFC 7519):** 您可以在 `PayloadFunc` 中设置标准 JWT claims 以提高互操作性: | ||
|
|
There was a problem hiding this comment.
This blank line appears to be added unnecessarily in the middle of a documentation section. It disrupts the flow between the introductory text about JWT claims and the bulleted list. Consider removing this extra blank line to maintain consistent documentation formatting.
| 將驗證通過的使用者資料轉為 `MapClaims`(map[string]any),必須包含 `IdentityKey`(預設為 `"identity"`)。 | ||
|
|
||
| **標準 JWT Claims(RFC 7519):** 您可以在 `PayloadFunc` 中設定標準 JWT claims 以提高互通性: | ||
|
|
There was a problem hiding this comment.
This blank line appears to be added unnecessarily in the middle of a documentation section. It disrupts the flow between the introductory text about JWT claims and the bulleted list. Consider removing this extra blank line to maintain consistent documentation formatting.
1 participant
fix #273