Appendix E. Authentication Workflows
The client-to-origin workflow involves a client authenticating to an origin server, as shown in Figure E-1.
The client attempts to access a protected resource from an origin server. The server, seeing that the resource is protected, sends back a challenge to the client via a 401 Unauthorized response. The response contains a WWW-Authenticate header (see Table B-3) that contains one or more challenges that the client must respond to in order to access the resource.
The client then sends back a request to the resource providing an Authorization header with the requested credentials.
In the client-to-proxy workflow, a client attempts to access a resource via a secure proxy that it must authenticate against. This is shown in Figure E-2.
The client attempts to access a protected resource via an authenticated proxy. The proxy, seeing the request, sends back a challenge to the client via a 407 Proxy Authentication Required response. The response contains a Proxy-Authenticate header (see Table B-3) that contains one or more challenges for accessing the proxy itself. The client then sends back the request, including the Proxy-Authorization header with the requested credentials. If, after authenticating with the proxy, the resource the user is attempting to access is protected, origin server authentication will also kick in. Figure E-3 illustrates this, showing the origin server responding with a challenge after proxy authentication is complete.
Get Designing Evolvable Web APIs with ASP.NET now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
