On 14. 7. 25 01:01, Peter Balogh wrote:
Hi,
I think I've just run into this,
Here's the current flow:
1st request without auth gets a 401 response with WWW-Authenticate:
Digest header
2nd request sent with Authorization header gets a WWW-Authenticate:
MFA headaer
3rd request is sent with OTP, but this goes without Authorization: Digest
In my current implementation the user's password is rerequested, and
everything works fine after that, but I'm having trouble fixing this
As I already wrote elsewhere, Serf handles only one authentication
method per realm. And that's correct, because it turns out that the RFC
requires it to be so.
I can probably add an auth method that does both Basic+OTP, but it'd
probably mean code duplication, or calling the Basic auth method
functions from the new method,
Not without hacking Serf's internals directly. The user-defined-authn
code doesn't give you access to those, on purpose.
but these feel wrong
Any pointers, how to move this forward?
Best regards,
Peter
On 2025. 06. 14. 21:23, Branko Čibej wrote:
Hi all,
I've been digging into Serf's support for various authentication
schemes and I notices something that looks like a bit of a limitation.
Unless I'm much mistaken, there's space for only one authentication
baton in Serf's context. It would seem that this is rather a blocker
for implementing multi-factor authentication flows, for example,
Basic + OTP, where the server would first require basic credentials
and then, if those were correct, go on to issue an OTP challenge.
It seems to me that a simple solution for that would be to store an
authn baton per scheme, but I know on the close order of nothing
about the possible side effects.
Yeah, I'm starting small, I have no wish to implement OAuth2 flow any
time soon. Still, a bit of insight from the knowledgeable would be
welcome.
-- Brane
