From d6d3435d3a4069ca248f8324644181b936ea1567 Mon Sep 17 00:00:00 2001
From: Andrew Azores <me@andrewazor.es>
Date: Fri, 12 Dec 2025 17:05:24 -0500
Subject: [PATCH 1/2] fix: HTTP Authentication challenge responds with 401
 status

Signed-off-by: Andrew Azores <me@andrewazor.es>
---
 oauthproxy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauthproxy.go b/oauthproxy.go
index c6db18a7..3ca99d75 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -1038,7 +1038,7 @@ func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
 			// the user did not explicitly start the login flow
 			p.doOAuthStart(rw, req, nil)
 		} else {
-			p.SignInPage(rw, req, http.StatusForbidden)
+			p.SignInPage(rw, req, http.StatusUnauthorized)
 		}
 
 	case ErrAccessDenied:

From 0201bdd0bd2b16283b252c6d9c96477595c4502b Mon Sep 17 00:00:00 2001
From: Andrew Azores <me@andrewazor.es>
Date: Fri, 12 Dec 2025 17:40:18 -0500
Subject: [PATCH 2/2] include WWW-Authenticate response headers

Signed-off-by: Andrew Azores <me@andrewazor.es>
---
 oauthproxy.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/oauthproxy.go b/oauthproxy.go
index 3ca99d75..2cbe4d26 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -633,6 +633,10 @@ func (p *OAuthProxy) isTrustedIP(req *http.Request) bool {
 // SignInPage writes the sign in template to the response
 func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code int) {
 	prepareNoCache(rw)
+	rw.Header().Set("WWW-Authenticate", "Bearer")
+	if p.basicAuthValidator != nil {
+		rw.Header().Add("WWW-Authenticate", "Basic")
+	}
 	rw.WriteHeader(code)
 
 	redirectURL, err := p.appDirector.GetRedirect(req)