Hi, So you’re generally you have no objection to the idea, that I recreate the whole Basic auth implementation in svn to support a custom Basic+OTP auth scheme?
Best regards, Peter On Thu, Jul 17, 2025, at 15:05, Branko Čibej wrote: > On 14. 7. 25 01:01, Peter Balogh wrote: > > Hi, > > > > I think I've just run into this, > > > > Here's the current flow: > > 1st request without auth gets a 401 response with WWW-Authenticate: > > Digest header > > 2nd request sent with Authorization header gets a WWW-Authenticate: > > MFA headaer > > 3rd request is sent with OTP, but this goes without Authorization: Digest > > In my current implementation the user's password is rerequested, and > > everything works fine after that, but I'm having trouble fixing this > > As I already wrote elsewhere, Serf handles only one authentication > method per realm. And that's correct, because it turns out that the RFC > requires it to be so. > > > > I can probably add an auth method that does both Basic+OTP, but it'd > > probably mean code duplication, or calling the Basic auth method > > functions from the new method, > > Not without hacking Serf's internals directly. The user-defined-authn > code doesn't give you access to those, on purpose. > > > but these feel wrong > > > > Any pointers, how to move this forward? > > > > Best regards, > > Peter > > > > On 2025. 06. 14. 21:23, Branko Čibej wrote: > >> Hi all, > >> > >> I've been digging into Serf's support for various authentication > >> schemes and I notices something that looks like a bit of a limitation. > >> > >> Unless I'm much mistaken, there's space for only one authentication > >> baton in Serf's context. It would seem that this is rather a blocker > >> for implementing multi-factor authentication flows, for example, > >> Basic + OTP, where the server would first require basic credentials > >> and then, if those were correct, go on to issue an OTP challenge. > >> > >> It seems to me that a simple solution for that would be to store an > >> authn baton per scheme, but I know on the close order of nothing > >> about the possible side effects. > >> > >> Yeah, I'm starting small, I have no wish to implement OAuth2 flow any > >> time soon. Still, a bit of insight from the knowledgeable would be > >> welcome. > >> > >> -- Brane > >> >