JSON:API can't handle exceptions thrown during authentication

Making a valid request to a JSON:API route with invalid authentication can result in a html formatted response instead of api_json, if the Authentication Provider throws an exception.

Because the authentication_subscriber runs before the route_listener, the exception ends the propagation of the kernel.request event without correctly setting the format and route parameters (An example in simple_oauth 🐛 JSON:API can't handle exceptions thrown by the authentication provider Active ).

When JSON:API DefaultExceptionSubscriber checks if the error should be formatted using JSON:API, neither the format nor the route parameters have been set and isJsonApiExceptionEvent returns false.

protected function isJsonApiExceptionEvent(GetResponseForExceptionEvent $exception_event) {
    $request = $exception_event->getRequest();
    $parameters = $request->attributes->all();
    return $request->getRequestFormat() === 'api_json' || (bool) Routes::getResourceTypeNameFromParameters($parameters);
  }

The reasons why the Authentication Provider may throw an exception instead of just return NULL are here #2840205: Error messages/codes should be more helpful & match spec. → .

I've been wondering whether this issue needs to be fixed at the Authentication Providers or JSON:API. I think at least in the case of expired tokens makes more sense to return 401.

A possible solution would be to directly check on the request if 'application/vnd.api+json' is in the Accept header. See patch