Supposed that the OpenID Connect implicit flow is mainly used by single-page applications (SPA), probably the first access to the backend/API is done by using an AJAX call, not by loading the SPA itself.
Now, if the API detects that the request is being sent without a token, how should it respond?
IMHO it does not make too much sense to respond with a redirect, because this would only cause the AJAX request to be redirected, not the entire browser window (which is necessary).
So, is responding with a 401
fine? Or is there another (better) way of what to do? Supposed that a 401
is fine, should the server somehow indicate which identity provider to use, or is this completely up to the client, and the backend assumes the client to know which identity provider it trusts?