Symfony version(s) affected

6.3 (previous versions should be affected too)

Description

When access token authentication fails, a response is sent with a WWW-Authenticate headers which sometimes contains non ASCII characters, which are invalid characters for a header value.

This is especially problematic when hosting our website on Azure appservices because the webserver on Azure side will fail to forward the response and return an empty 500 error response instead of a 401 for example. This is not a bug from Azure however, webservers should not support those characters, some do but not everyone of them.

Those non ASCII characters only appear for certain translations, for example in spanish, the WWW-Authenticate header will have this value
Bearer error="invalid_token",error_description="Credenciales no válidas."
Containing the character Ã or 0x00C3

I believe the error_description should not be translated and only return a translation key, or another way to return the translated value should be used (response body for example).

How to reproduce

Throw an exception that will trigger this response (it may be required to throw this error inside a token_handler for an access_token firewall)

For example
throw new BadCredentialsException('Invalid credentials.')

You should see a WWW-Authenticate header in the given response, on some locale, for example es_ES, the header contains non ASCII characters.

Possible Solution

Inside the AccessTokenAuthenticator file, the method onAuthenticationFailure should not attempt to translate the messageKey.

Additional Context

No response