Fix regular expression used to validate WWW-Authenticate-style challenges
The spec says (see 4.1.3.1):
"1. The AuthorizationDetails endpoint capability contains an ArrayOfString with WWW-Authenticate style challenges. NOTE: The AuthorizeResponse message also contains a similar array of string with WWW-Authenticate style challenges."
It goes on to say (see 5.2.3):
"2. To support the required authorization workflow (to enable an endpoint to acquire an access token with the necessary scope from the designated authorization server), the AuthorizationDetails endpoint capability MUST include at least one challenge with the Bearer scheme which must include the ‘authz_server' and ‘scope’ parameters."
However, the format of a WWW-Authenticate style challenge is defined as (see here):
"WWW-Authenticate: auth-param1=token1, ..., auth-paramN=auth-paramN-token
The regular expression currently used by tests is:
/^Bearer authz_server=\"https://[a-zA-Z-_0-9]+(/[a-zA-Z-_0-9]+)+\" scope=\"[a-zA-Z-_0-9]+\"$/
but this is incorrect for the following reasons:
- it should not mandate that authz_server is the first parameter. the list of params could be in any order.
- it doesn't match on a hostname like my.server.com b/c the hostname part of the regex does not match the "." character
- the list of params should be comma-delimited, not space delimited
- the scope attribute cannot be empty e.g. scope="" (maybe that's ok?)
- it doesn't allow for any additional params beyond authz_server and scope
A better regex would be: /^Bearer (\w+="[^"]+")(?:, \w+="[^"]*")*$/
In addition to this, we should also be verifying that there is an authz_server param and a scope param (in any order). This regex solves all the other issues listed above.