1 files changed, 23 insertions, 6 deletions

diff --git a/oauthlib/oauth2/rfc6749/errors.py b/oauthlib/oauth2/rfc6749/errors.py
index 678fcff..ec2b0d1 100644
--- a/oauthlib/oauth2/rfc6749/errors.py
+++ b/oauthlib/oauth2/rfc6749/errors.py
@@ -96,6 +96,27 @@ class OAuth2Error(Exception):
     def json(self):
         return json.dumps(dict(self.twotuples))
 
+    @property
+    def headers(self):
+        if self.status_code == 401:
+            """
+            https://tools.ietf.org/html/rfc6750#section-3
+
+            All challenges defined by this specification MUST use the auth-scheme
+            value "Bearer".  This scheme MUST be followed by one or more
+            auth-param values.
+            """
+            authvalues = [
+                "Bearer",
+                'error="{}"'.format(self.error)
+            ]
+            if self.description:
+                authvalues.append('error_description="{}"'.format(self.description))
+            if self.uri:
+                authvalues.append('error_uri="{}"'.format(self.uri))
+            return {"WWW-Authenticate": ", ".join(authvalues)}
+        return {}
+
 
 class TokenExpiredError(OAuth2Error):
     error = 'token_expired'
@@ -185,7 +206,6 @@ class AccessDeniedError(OAuth2Error):
     The resource owner or authorization server denied the request.
     """
     error = 'access_denied'
-    status_code = 401
 
 
 class UnsupportedResponseTypeError(OAuth2Error):
@@ -198,12 +218,12 @@ class UnsupportedResponseTypeError(OAuth2Error):
 
 class InvalidScopeError(OAuth2Error):
     """
-    The requested scope is invalid, unknown, or malformed.
+    The requested scope is invalid, unknown, or malformed, or
+    exceeds the scope granted by the resource owner.
 
     https://tools.ietf.org/html/rfc6749#section-5.2
     """
     error = 'invalid_scope'
-    status_code = 400
 
 
 class ServerError(OAuth2Error):
@@ -261,7 +281,6 @@ class UnauthorizedClientError(OAuth2Error):
     grant type.
     """
     error = 'unauthorized_client'
-    status_code = 401
 
 
 class UnsupportedGrantTypeError(OAuth2Error):
@@ -318,7 +337,6 @@ class ConsentRequired(OAuth2Error):
     completed without displaying a user interface for End-User consent.
     """
     error = 'consent_required'
-    status_code = 401
 
 
 class LoginRequired(OAuth2Error):
@@ -330,7 +348,6 @@ class LoginRequired(OAuth2Error):
     completed without displaying a user interface for End-User authentication.
     """
     error = 'login_required'
-    status_code = 401
 
 
 class CustomOAuth2Error(OAuth2Error):