fix step-up auth to work with python too

pcarleton · pcarleton · commit d5b74e8e788f · 2025-11-18T15:16:17.000Z
diff --git a/src/scenarios/client/auth/scope-handling.ts b/src/scenarios/client/auth/scope-handling.ts
@@ -347,11 +347,12 @@ export class ScopeStepUpAuthScenario implements Scenario {
 
       if (!hasRequiredScopes) {
         // Has token but insufficient scopes - return 403
+        // Per RFC 6750 Section 3, must include error in WWW-Authenticate header
         return res
           .status(403)
           .set(
             'WWW-Authenticate',
-            `Bearer scope="${requiredScopes.join(' ')}", resource_metadata="${resourceMetadataUrl()}"`
+            `Bearer error="insufficient_scope", error_description="Token has insufficient scope", scope="${requiredScopes.join(' ')}", resource_metadata="${resourceMetadataUrl()}"`
           )
           .json({
             error: 'insufficient_scope',
