Opened 8 years ago

Last modified 4 years ago

#485 new enhancement

Multiple WWW-Authenticate headers

Reported by: Fasih Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.5.x
Keywords: response header handling Cc:
uname -a: Linux fasih-thinks 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:13:26 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.5.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
configure arguments: --prefix=/home/faskiri/usr --with-debug


RFC allows a server to respond with multiple WWW-Authenticate header (

"User agents are advised to take special care in parsing the WWW- Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters."

However nginx defines WWW-Authenticate header as an ngx_table_elt_t in the ngx_http_headers_out_t struct as opposed to an ngx_array_t like other allowed repeated value headers.

I am using nginx as a reverse proxy. The upstream sends two WWW-Authenticate headers with different realms. I was processing the www_authenticate header field and hadnt realized that it was legal to send multiple WWW-Authenticate headers.

One e.g. for a valid real-world use:

Attachments (1)

patch.485.diff (6.7 KB ) - added by David Carlier 8 years ago.

Download all attachments as: .zip

Change History (7)

by David Carlier, 8 years ago

Attachment: patch.485.diff added

comment:1 by David Carlier, 8 years ago

This is my very first contribution, please do not be too severe. so I ve updated the ngx_http_request_t struct and updated module consumers as well. I have tested with mdounin unit tests and it looks ok.

comment:2 by Maxim Dounin, 8 years ago

Please see this thread and this message in particular. As suggested, just changing WWW-Authenticate to array_t looks wrong.

Note well that the patch suggested doesn't allow to intercept 401 errors from upstream with multiple WWW-Authenticate headers. And this looks like the only practical problem with multiple WWW-Authenticate headers.

Please also see

comment:3 by Maxim Dounin, 6 years ago

Type: defectenhancement

comment:4 by gerrieg@…, 5 years ago

Are there any plans to support multiple WWW-Authenticate headers soon?

In our company we want to switch the IIS servers to NGINX, we are using the auth_request_module and we developed a authentication server that sends a Negotiate and a Basic WWW-Authenticate header. But only the first one arrives at the client.
We tried to send the two challenges in one header, but the clients do not understand this.

Now we are blocked, so any chance to implement this?

comment:5 by kipras@…, 4 years ago

We've hit this issue as well. Just wondering if this is this planned to be implemented sometime ?

comment:6 by DenverJ@…, 4 years ago

We have also hit this issue with the auth_request module trying to use an intranet authentication server that sends multiple WWW-Authenticate headers. A real blocker!

Note: See TracTickets for help on using tickets.