18.104.22.168 Realm Autodiscovery Through HTTP 401 Challenge
When a server receives a request that contains an empty BearerHTTP Authorization header, the server responds with an HTTP 401 challenge, as specified in [RFC2616] and [RFC2617]. The BearerWWW-Authenticate header of the HTTP 401 challenge contains the following fields:
client_id. The client's security principal identifier.
trusted_issuers. A comma-separated list of all security token issuers the server trusts. The client can then select a security token issuer to request a security token.