the invalid_client error and HTTP authentication schemas

[adeinega]

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#section-3.2.3.1 says that

"invalid_client": Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported.

I am not so sure if it's possible to indicate HTTP authentication schemas for private_key_jwt and client_secret_jwt client authentication types.

This text also indicates that multiple authentication schemas are supported. Thus, does the authorization server need to specify multiple WWW-Authenticate headers, say "WWW-Authenticate: Basic" and "WWW-Authenticate: Bearer"?

It would be great to clarify these nuances.

[jogu]

I'm honestly not sure how much useful behaviour can really be dictated about invalid_client errors.

I wonder if there are any clients that attempt to parse the WWW-Authenticate header and try a different authentication mechanism? The clients I'm aware of all require the client authentication to be explicitly configured.