Realm Autodiscovery Through HTTP 401 Challenge

When a server receives a request that contains an empty Bearer HTTP Authorization header, the server responds with an HTTP 401 challenge, as specified in [RFC2616] and [RFC2617]. The Bearer WWW-Authenticate header of the HTTP 401 challenge contains the following fields:

  • client_id. The client's security principal identifier.

  • realm. The server MAY<1> return this field. This is the source realm of the client.

  • trusted_issuers. A comma-separated list of all security token issuers the server trusts. The client can then select a security token issuer to request a security token.

For an example of realm autodiscovery through HTTP 401 challenge, see section 4.6.