Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prefer BasicAuth challenge when more than one mechanism in registered and it is not possible to detect the client preference #18648

Closed
sberyozkin opened this issue Jul 13, 2021 · 0 comments · Fixed by #18757
Closed

Prefer BasicAuth challenge when more than one mechanism in registered and it is not possible to detect the client preference #18648

sberyozkin opened this issue Jul 13, 2021 · 0 comments · Fixed by #18757
Assignees
@sberyozkin
Labels
area/security kind/enhancement New feature or request
Milestone
2.2.0.CR1

Comments

@sberyozkin
Copy link
Member

Description

Right now, if, for example, both Bearer token and Basic Auth mechanisms are enabled, then, if the authentication fails and the challenge is required, and it is not possible to detect the client preference, for ex, Authorization header was simply not set, and when no path specific mechanism config has been provided, then the 1st mechanism in the list will be used to create a challenge - which can be Bearer in the given example - however Basic Auth one should be preferred if it is available - as it can help with the browser challenging a user to enter the name/password

Implementation ideas

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/security kind/enhancement New feature or request
Projects
None yet
Milestone
2.2.0.CR1
1 participant
@sberyozkin