Hi,

So you’re generally you have no objection to the idea, that I recreate the 
whole Basic auth implementation in svn to support a custom Basic+OTP auth 
scheme?

Best regards,
Peter

On Thu, Jul 17, 2025, at 15:05, Branko Čibej wrote:
> On 14. 7. 25 01:01, Peter Balogh wrote:
> > Hi,
> >
> > I think I've just run into this,
> >
> > Here's the current flow:
> > 1st request without auth gets a 401 response with WWW-Authenticate: 
> > Digest header
> > 2nd request sent with Authorization header gets a WWW-Authenticate: 
> > MFA headaer
> > 3rd request is sent with OTP, but this goes without Authorization: Digest
> > In my current implementation the user's password is rerequested, and 
> > everything works fine after that, but I'm having trouble fixing this
> 
> As I already wrote elsewhere, Serf handles only one authentication 
> method per realm. And that's correct, because it turns out that the RFC 
> requires it to be so.
> 
> 
> > I can probably add an auth method that does both Basic+OTP, but it'd 
> > probably mean code duplication, or calling the Basic auth method 
> > functions from the new method,
> 
> Not without hacking Serf's internals directly. The user-defined-authn 
> code doesn't give you access to those, on purpose.
> 
> > but these feel wrong
> >
> > Any pointers, how to move this forward?
> >
> > Best regards,
> > Peter
> >
> > On 2025. 06. 14. 21:23, Branko Čibej wrote:
> >> Hi all,
> >>
> >> I've been digging into Serf's support for various authentication 
> >> schemes and I notices something that looks like a bit of a limitation.
> >>
> >> Unless I'm much mistaken, there's space for only one authentication 
> >> baton in Serf's context. It would seem that this is rather a blocker 
> >> for implementing multi-factor authentication flows, for example, 
> >> Basic + OTP, where the server would first require basic credentials 
> >> and then, if those were correct, go on to issue an OTP challenge.
> >>
> >> It seems to me that a simple solution for that would be to store an 
> >> authn baton per scheme, but I know on the close order of nothing 
> >> about the possible side effects.
> >>
> >> Yeah, I'm starting small, I have no wish to implement OAuth2 flow any 
> >> time soon. Still, a bit of insight from the knowledgeable would be 
> >> welcome.
> >>
> >> -- Brane
> >>
> 

Reply via email to