On 24. 5. 25 14:12, Daniel Sahlberg wrote:
As I understand WWW-Authenticate, it is possible to add multiple authentications at the same time. If we would have a server-wide 2FA setting (ie, all users are required ot use 2FA), we could possibly combine steps 2 and 4 into a single step, saving a roundtrip to the server. (We don't need to know the user before requesting a TOTP - as long as we get the username we can verify it afterwards). Only maybe if it is difficult to send multiple Authorization: headers.
I think those multiple authentication types in WWW-Authenticate are meant to be alternatives, not a sequence, the client picks the scheme it supports. I have no clue what happens if you send multiple Authorization headers. You could invent combined schemes, e.g., "Basic+TOTP" and define how the TOTP response is encoded in the Authorization header along with the other credentials, but that would kill generic DAV clients.
And let's not forget that one can browse Subversion repositories ... that's a case that we've not discussed yet. Heh, imagine mod_dav_svn, I mean mod_authn_totp, generating HTML to request a second factor. Ouch. :)
-- Brane
