How should clients handle HTTP 401 with unknown authentication schemes?

Posted by user113215 on Server Fault See other posts from Server Fault or by user113215
Published on 2013-11-04T18:49:23Z Indexed on 2013/11/05 3:59 UTC
Read the original article Hit count: 518

Filed under:
|
|
|

What is the proper behavior for an HTTP client receiving a 401 Unauthorized response that specifies only unrecognized authentication schemes?

My server supports Kerberos authentication using WWW-Authenticate: Negotiate. On the first request, the server sends a 401 Unauthorized response with a body containing an HTML document. The behavior that I expect is for clients that support Kerberos to perform that authentication and for other clients to simply display the HTML document (a login form).

It seems that most of the "other clients" I've encountered do work this way, but a few do not. I haven't found anything that mandates any particular behavior in this situation. There's a brief mention in RFC 2617: HTTP Authentication: Basic and Digest Access Authentication, but is there anything more concrete?

It is possible that a server may want to require Digest as its authentication method, even if the server does not know that the client supports it. A client is encouraged to fail gracefully if the server specifies only authentication schemes it cannot handle.

© Server Fault or respective owner

Related posts about http

Related posts about kerberos