OAuth2Provider looks for an access token in the http authorization header. The same header is also sent when using basic auth but because it doesn't contain a real token then OAuth2Provider responds with "400 Bad digest".
We have oauth2 access for some routes and basic auth for some others (for debugging). It would be great if the oauth provider didn't automatically respond but if it could be configured to allow fall through to other middleware.
Alternatively, the login method could be rearranged to fire a different event if the access token was found to be absent or invalid - the event could choose to send a response or allow fall-through. Any preference either way?
i prefer the former -- checking that the Authorization header is of a Bearer type before responding.
Fall-through to next middleware if Authorization isn't of type Bearer.
This should allow standard HTTP auth to function in a subsequent
middleware down the stack.