Better error message when access_token is missing

kong/plugins/oauth2/access.lua

@@ -393,7 +393,7 @@ function _M.execute(conf)
 
   local accessToken = parse_access_token(conf);
   if not accessToken then
-    return responses.send_HTTP_UNAUTHORIZED({}, false, {["WWW-Authenticate"] = 'Bearer realm="service"'})
+    return responses.send_HTTP_UNAUTHORIZED({[ERROR] = "invalid_request", error_description = "The access token is missing"}, false, {["WWW-Authenticate"] = 'Bearer realm="service"'})
   end
 
   local token = retrieve_token(accessToken)

spec/plugins/oauth2/access_spec.lua

@@ -453,6 +453,14 @@ describe("Authentication Plugin", function()
 
     describe("Password Grant", function()
 
+      it("should block unauthorized requests", function()
+        local response, status = http_client.get(PROXY_SSL_URL.."/request", {}, {host = "oauth2_5.com"})
+        local body = cjson.decode(response)
+        assert.are.equal(401, status)
+        assert.are.equal("invalid_request", body.error)
+        assert.are.equal("The access token is missing", body.error_description)
+      end)
+
       it("should return an error when client_secret is not sent", function()
         local response, status = http_client.post(PROXY_SSL_URL.."/oauth2/token", { client_id = "clientid123", scope = "email", response_type = "token" }, {host = "oauth2_5.com"})
         local body = cjson.decode(response)
@@ -697,7 +705,8 @@ describe("Authentication Plugin", function()
       local body = cjson.decode(response)
       assert.are.equal(401, status)
       assert.are.equal('Bearer realm="service"', headers['www-authenticate'])
-      assert.are.equal(0, utils.table_size(body))
+      assert.are.equal("invalid_request", body.error)
+      assert.are.equal("The access token is missing", body.error_description)
     end)
 
     it("should return 401 Unauthorized when an invalid access token is being sent via url parameter", function()