Hi,
I think I've just run into this,
Here's the current flow:
1st request without auth gets a 401 response with WWW-Authenticate:
Digest header
2nd request sent with Authorization header gets a WWW-Authenticate: MFA
headaer
3rd request is sent with OTP, but this goes without Authorization: Digest
In my current implementation the user's password is rerequested, and
everything works fine after that, but I'm having trouble fixing this
I can probably add an auth method that does both Basic+OTP, but it'd
probably mean code duplication, or calling the Basic auth method
functions from the new method, but these feel wrong
Any pointers, how to move this forward?
Best regards,
Peter
On 2025. 06. 14. 21:23, Branko Čibej wrote:
Hi all,
I've been digging into Serf's support for various authentication
schemes and I notices something that looks like a bit of a limitation.
Unless I'm much mistaken, there's space for only one authentication
baton in Serf's context. It would seem that this is rather a blocker
for implementing multi-factor authentication flows, for example, Basic
+ OTP, where the server would first require basic credentials and
then, if those were correct, go on to issue an OTP challenge.
It seems to me that a simple solution for that would be to store an
authn baton per scheme, but I know on the close order of nothing about
the possible side effects.
Yeah, I'm starting small, I have no wish to implement OAuth2 flow any
time soon. Still, a bit of insight from the knowledgeable would be
welcome.
-- Brane
