3.13.5.2.3 Response to Active Requests

  • Article

The proxy MAY choose to preauthenticate requests by making backend requests to the server as specified in section 3.12.5.1.5, provided the proxy deems that the request contains the credentials it needs to be preauthenticated.<16>

The proxy MUST perform client TLS authentication [RFC2246] using the certificate in [Client State].TrustCertificate.

  • If the request contains Username and Password in the Authorization header as specified in [RFC2617], they are used as username and password in the Authentication Request (section 2.2.2.21).

  • If the request was made using SSL mutual authentication [RFC6101], the client certificate SHOULD be identified by the proxy as whether it is the proof of the device or the proof of the user.

    • If the client certificate is the proof of the user, it is used as the userCertificate in the Authentication Request (section 2.2.2.21).

    • If the client certificate is the proof of the device, it is used as the deviceCertificate in the Authentication Request (section 2.2.2.21).

  • Any HTTP headers from the incoming request are passed on to the server as the httpHeaders in the Authentication Request (section 2.2.2.21).

If the pre-authentication request resulted in an error, the proxy MUST send HTTP 401 to the client.

If the pre-authentication request returned a valid response as specified in section 3.12.5.1.5.2, the value of authToken in the Proxy Token Wrapper (section 2.2.2.20) is used for pre-authentication according to the rules specified in section 3.13.5.1.

The proxy MAY allow the "Authorization" header from the incoming HTTP request [RFC2617], to propagate to the backend application.