The client-to-origin workflow involves a client authenticating to an origin server, as shown in Figure E-1.
The client attempts to access a protected resource from an origin server. The server, seeing that the resource is protected, sends back a challenge to the client via a
401 Unauthorized response. The response contains a
WWW-Authenticate header (see Table B-3) that contains one or more challenges that the client must respond to in order to access the resource.
The client then sends back a request to the resource providing an
Authorization header with the requested credentials.
In the client-to-proxy workflow, a client attempts to access a resource via a secure proxy that it must authenticate against. This is shown in Figure E-2.
The client attempts to access a protected resource via an authenticated proxy. The proxy, seeing the request, sends back a challenge to the client via a
407 Proxy Authentication Required response. The response contains a
Proxy-Authenticate header (see Table B-3) that contains one or more challenges for accessing the proxy itself. The client then sends back the request, including the
Proxy-Authorization header with the requested credentials. If, after authenticating with the proxy, the resource the user is attempting to access is protected, origin server authentication will also kick in. Figure E-3 illustrates this, showing the origin server responding with a challenge after proxy authentication is complete.