@mariusor I think you might be right. I think if the request is invalid, it should return 401 with the WWW-Authenticate header and the required headers.
@mariusor I think you might be right. I think if the request is invalid, it should return 401 with the WWW-Authenticate header and the required headers.