How should clients handle HTTP 401 with unknown authentication schemes?
Posted
by
user113215
on Server Fault
See other posts from Server Fault
or by user113215
Published on 2013-11-04T18:49:23Z
Indexed on
2013/11/05
3:59 UTC
Read the original article
Hit count: 524
What is the proper behavior for an HTTP client receiving a 401 Unauthorized
response that specifies only unrecognized authentication schemes?
My server supports Kerberos authentication using WWW-Authenticate: Negotiate
. On the first request, the server sends a 401 Unauthorized
response with a body containing an HTML document. The behavior that I expect is for clients that support Kerberos to perform that authentication and for other clients to simply display the HTML document (a login form).
It seems that most of the "other clients" I've encountered do work this way, but a few do not. I haven't found anything that mandates any particular behavior in this situation. There's a brief mention in RFC 2617: HTTP Authentication: Basic and Digest Access Authentication, but is there anything more concrete?
It is possible that a server may want to require
Digest
as its authentication method, even if the server does not know that the client supports it. A client is encouraged to fail gracefully if the server specifies only authentication schemes it cannot handle.
© Server Fault or respective owner