Appendix E. Authentication Workflows

The client-to-origin workflow involves a client authenticating to an origin server, as shown in Figure E-1.

Client authenticates with origin
Figure E-1. Client authenticates with origin

The client attempts to access a protected resource from an origin server. The server, seeing that the resource is protected, sends back a challenge to the client via a 401 Unauthorized response. The response contains a WWW-Authenticate header (see Table B-3) that contains one or more challenges that the client must respond to in order to access the resource.

The client then sends back a request to the resource providing an Authorization header with the requested credentials.

In the client-to-proxy workflow, a client attempts to access a resource via a secure proxy that it must authenticate against. This is shown in Figure E-2.

Client authenticates with proxy
Figure E-2. Client authenticates with proxy

The client attempts to access a protected resource via an authenticated proxy. The proxy, seeing the request, sends back a challenge to the client via a 407 Proxy Authentication Required response. The response contains a Proxy-Authenticate header (see Table B-3) that contains one or more challenges for accessing the proxy itself. The client then sends back the request, including the Proxy-Authorization header with the requested credentials. If, after authenticating with the proxy, the resource the user is attempting to access is protected, origin server authentication will also kick in. Figure E-3 illustrates this, showing the origin server responding with a challenge after proxy authentication is complete.

Client authenticates with proxy
Figure E-3. Client authenticates with proxy