We currently follow OAuth 2.0 r10 spec, and in case of error regarding authentication, the WWW-Authenticate response header should always be present, with the error type (see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-5.2). This is not currently the case.

For instance, the response header for an expired token should contain :

WWW-Authenticate: OAuth realm='eZ Publish REST', error='expired_token'

Of course, this is subject to change in future revisions of OAuth 2.0 spec (such as JSON in response body), but as we follow r10, we should fully comply to it

Steps to reproduce

Provide an expired or invalid access token with your request