WWW-Authenticate header does not match failed authenticator

[orez-rj]

Similar issue has been raised before issue 3800 but I think it should be reconsidered.
DRF’s behavior is technically compliant with RFC 7235, but misleading in practice.

When multiple authentication_classes are used, DRF always returns the WWW-Authenticate header from the first class, even if a later authenticator is the one that rejected the request.

While RFC 7235 §4.1 allows a response to include “at least one challenge,” it expects that challenge to be applicable to the request, and in the current DRF behavior, this leads to misleading responses.

Example:

authentication_classes = [BearerAuthentication, TokenAuthentication]

If the client sends Authorization: Token abc123 (which fails), DRF still returns:

WWW-Authenticate: Bearer

This is confusing for clients, misrepresents the actual failure, and makes debugging harder.

The expected behavior is to return the challenge from the authenticator that raised the exception.
This would:

• Better reflect the RFC’s intent
• Match behaviors of other frameworks
• Improve client-side UX and debugging

Developers could still choose between "browsers should/should not respond with an authentication dialog" by implementing the authenticate_header method.

Would you be open to a PR that corrects this?