Multiple Authentication Schemes and WWW-Authenticate Challenges

Question

I am developing a REST API which supports multiple authentication schemes (OAuth, Bearer, and Basic). When the Authorization header is absent or contains an unsupported scheme, the service responds with multiple WWW-Authenticate headers:

WWW-Authenticate: OAuth realm="myRealm"
WWW-Authenticate: Bearer realm="myRealm"
WWW-Authenticate: Basic realm="myRealm"

When a request contains an Authorization header with one of the supported schemes but invalid credentials, should my service respond with all supported WWW-Authenticate schemes, or just the scheme provided in the request?

For example, if a client provides:

Authorization: Bearer invalid

Should my service respond with just the Bearer challenge?

WWW-Authenticate: Bearer realm="myRealm", error="invalid_token", error_description="token is malformed or represents invalid credentials"

Or should it respond with all WWW-Authenticate challenges?

WWW-Authenticate: Bearer realm="myRealm", error="invalid_token", error_description="token is malformed or represents invalid credentials"
WWW-Authenticate: OAuth realm="myRealm"
WWW-Authenticate: Basic realm="myRealm"

EDIT: RFC 7235 seems to provide a suggestion, although its not concrete. I've added an answer accordingly.

Answer 1

Although it's not strictly required, RFC 7235 seems to suggest that all supported authentication schemes should be returned. This will provide the most information to callers, provided they are able to parse these headers properly.

4.1. WWW-Authenticate

The "WWW-Authenticate" header field indicates the authentication scheme(s) and parameters applicable to the target resource.

WWW-Authenticate = 1#challenge

A server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field containing at least one challenge. A server MAY generate a WWW-Authenticate header field in other response messages to indicate that supplying credentials (or different credentials) might affect the response.