I'm not sure this is correct behavior

https://github.com/zf-fr/zfr-oauth2-server/blob/master/src/Middleware/ResourceServerMiddleware.php#L64

I think it would be more flexible if an exception is raised so error middleware might respond differently (For example with an Apigility ApiProblem type response)

Well, the issue is that according to the spec it should return a 401. So this is the behaviour of this by default. But you're right, I'm not sure how it could be extended to modify the output.

I now think this is ok. It is a oauth2 resource server with a specifically defined response. we shouldn't defiate from that.

closing