3.1.5.2 Processing Authentication Server Challenge Messages

If the received "da-status" value in the Authentication Server Challenge message is set to "fail-noretry", or if the received value of srealm does not equal the value of DARealm in the client's stored Passport Configuration Data (as specified in section 3.1.1), the client MUST handle the error by passing to the application the HTTP 401 status along with any HTML content contained in the accompanying HTTP response. Otherwise, the client MUST respond with a Sign-in Request message to the authentication server and store this message as Last Sign-in Request for reuse in case of a redirect (as specified in section 3.1.5.6).

If the received Authentication Server Challenge message includes a prompt predicate parameter, the user MUST be prompted for a user name and password, which MUST then be used to assign the values of sign-in and Pwd in the Sign-in Request message. Otherwise, the client MAY take the values of sign-in and Pwd from its stored credentials, Cached User Credentials, as specified in section 3.1.1. That is, a Passport SSI Version 1.4 Protocol client MAY utilize local code to obtain the credentials locally and provide those cached credentials to the authentication server.<8>

If Cached User Credentials are used, the elapsed-time value in the outgoing message MUST be set to the number of seconds between the current time and the "time entered" value stored with the Cached User Credentials, as specified in section 3.1.1. However, if the user is prompted to enter the credentials, the elapsed-time value MUST be set to zero. The values of OrgVerb and OrgUrl MUST then be set to the values in the client's stored state for Original HTTP Verb and Original HTTP URL (as specified in section 3.1.1). The value of Challenge is retrieved from Partner Challenge.

If present, the cburl and cbtxt parameters indicate co-branding URL and text that the client SHOULD pass to the application to be displayed to the user.