2.2.2 Authentication Server Challenge Message

The Authentication Server Challenge message is sent by the authentication server to the client and indicates that the sign-in request or token request failed.

This message is processed only when returned with a 401 HTTP status code. The return value MUST be as follows.

 Authentication-Server-Challenge-Message = "WWW-Authenticate:"
  scheme 1*SP da-status "," srealm ["," customtoken]  [","     prompt]
  ["," cburl] ["," cbtxt] 
 status-codes = "failed" / "failed-noretry"
 da-status = "da-status=" status-codes
 srealm = "srealm=" ptoken
 cburl = "cburl=" httpURL
 cbtxt = "cbtxt=" ptoken
 prompt = "prompt"
 customtoken = ptoken

da-status: Specifies if the receiving client MUST retry the request. The client's precise interpretation of the possible values of "da-status" is specified in section 3.1.5.2.

srealm: A string that MUST contain the realm name of the authentication server.

cburl: Specifies a co-branding URL.

Cbtxt: Specifies optional co-branding text.

prompt: Specifies, by its presence, that the client MUST prompt the user for credentials.

customtoken: Custom parameter that an authentication server MAY add to the response. Not explicitly part of the protocol.

This token is interpreted by the authentication server only. The client MUST not interpret the value. The client MUST send the token unchanged to the authentication server in a subsequent Sign-in Request message.

Example:

 WWW-Authenticate: Passport1.4 da-status=failed,
 srealm=Passport.NET,ts=-2,prompt