If the /owa endpoint received a request with a missing or invalid
Authorization header, it would return an error to the requester, but
without any message describing why it failes.
This patch adds a message to the error response, so that it will be a
bit easier to debug these issues in the future.
The owa spec includes a 'message' field in the error response, but makes
it optional. Any conforming implementations should accept a response
that includes the 'message' field.
