WWW-Authenticate header split

[PaulKaldahl-Zywave]

IdentityServer version

7.2.0

.NET version

9.0

Description

Following an update from IdentityServer 7.0.8 to 7.2.0 and from .NET 8.0 to .NET 9.0, we observed that the WWW-Authenticate header now splits into multiple headers for 401 responses.

Before:

Www-Authenticate: Bearer realm="IdentityServer",error="invalid_token"

After:

Www-Authenticate: Bearer realm="IdentityServer"
Www-Authenticate: error="invalid_token"

I believe this commit caused this change as an unintended side effect:
DuendeSoftware/products@1d5f82a

Clients are processing the response with multiple headers differently. For many clients, there is no issue as they concatenate the headers as a single comma delimited value, resulting in zero functional change between the versions. We have found a smaller number of clients that treat distinct headers as distinct challenges, treating error="invalid_token" as a scheme and then failing to appropriately choose the correct challenge.

Reproduction Steps

Trigger any request that would result in a 401, such as a request to /connect/userinfo without a token.

[josephdecock]

Thanks for this great, detailed bug report @PaulKaldahl-Zywave! You're right about how this was introduced, and the change in behavior was unintentional. I've just merged @khalidabuhakmeh's PR (DuendeSoftware/products#1998) to fix it, and add tests to prevent the regression in future. We'll get an IdentityServer 7.2.3 patch release out soon with the fix.

[josephdecock]

Okay, IdentityServer 7.2.3 is released!

Release notes: https://github.com/DuendeSoftware/products/releases/tag/is-7.2.3
NuGet: https://www.nuget.org/packages/Duende.IdentityServer/7.2.3

[PaulKaldahl-Zywave]

Thank you very much for the quick fix!