3.1.5.1 Processing Partner Server Challenge Messages

After receiving a Partner Server Challenge message with Sent First Authenticated Request set to FALSE, the client MUST send the authentication server a Token Request message. The client MUST pass the parameters from the Partner Server Challenge message as-is to the authentication server in the Token Request message and store them in Partner Challenge. The values for the OrgVerb and OrgUrl parameters MUST be the Original HTTP Verb and Original HTTP URL  stored (as specified in section 3.1.1) for the HTTP request whose response included the received Partner Server Challenge message.

If the client receives a Partner Server Challenge message with Sent First Authenticated Request set to TRUE (that is, a second time from the same partner server before receiving a Set Token message from that partner server), the client MUST pass an error up to the application.

If the client receives an upgrade token it MAY evaluate the condition. The client MAY then choose to ignore the Passport Tweener WWW-Authenticate header. <7>