Re: curl doesn't handle multiple WWW-Authenticate challenges properly (Negotiate)

On Tue, Jan 28, 2020 at 4:23 PM Daniel Stenberg via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> On Tue, 28 Jan 2020, Jung Michel via curl-library wrote:
>
> > However, if the 401 response contains more than one challenge, like so:
> >
> > WWW-Authenticate: Negotiate, Basic realm="TM1"
>
> This is accurate. curl doesn't handle multiple authentications specified on
> the same physical line, but will deal with them if they arrive in multiple
> headers. This limitation actually affects all HTTP authentication methods, not
> just Negotiate.
>
> Amazingly enough, this is something that is extremely rare in practise in the
> wild and therefore has not been much of a problem.

Just for information, I ran into the same problem when trying to add
both Basic and Bearer Authorization headers for an OAuth2 request.
I actually there also had the problem that --oauth2-bearer actually
doesn't work for https.
Specifying both a --user client_id:client_secret and a -H
"Authorization: Bearer myfirstbearertoken" only sends the latter it
seems.
Usually you can easily work around these things by manually setting
all the headers using the -H flag but it's a bit frustrating.

Best,
Mischa

>
> You interested in diving in and work on fixing this?
>
> --
>
> / daniel.haxx.se | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://www.wolfssl.com/contact/
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-01-28