2.2.2 Authentication Server Challenge Message
The Authentication Server Challenge message is sent by the authentication server to the client and indicates that the sign-in request or token request failed.
This message is processed only when returned with a 401 HTTP status code. The return value MUST be as follows.
-
Authentication-Server-Challenge-Message = "WWW-Authenticate:" scheme 1*SP da-status "," srealm ["," customtoken] ["," prompt] ["," cburl] ["," cbtxt] status-codes = "failed" / "failed-noretry" da-status = "da-status=" status-codes srealm = "srealm=" ptoken cburl = "cburl=" httpURL cbtxt = "cbtxt=" ptoken prompt = "prompt" customtoken = ptoken
da-status: Specifies if the receiving client MUST retry the request. The client's precise interpretation of the possible values of "da-status" is specified in section 3.1.5.2.
srealm: A string that MUST contain the realm name of the authentication server.
cburl: Specifies a co-branding URL.
Cbtxt: Specifies optional co-branding text.
prompt: Specifies, by its presence, that the client MUST prompt the user for credentials.
customtoken: Custom parameter that an authentication server MAY add to the response. Not explicitly part of the protocol.
-
This token is interpreted by the authentication server only. The client MUST not interpret the value. The client MUST send the token unchanged to the authentication server in a subsequent Sign-in Request message.
-
Example:
-
WWW-Authenticate: Passport1.4 da-status=failed, srealm=Passport.NET,ts=-2,prompt