4.6 Realm Autodiscovery Through HTTP 401 Challenge

In this example, the client tries to access a resource on a server. It also tries to use realm autodiscovery by including an empty Bearer authorization header in its request. An example of such a request is as follows.

 POST https://contoso.com/autodiscover/autodiscover.svc HTTP/1.1
 Content-Type: text/xml; charset=utf-8
 Accept: text/xml
 User-Agent: Test/1.0 (ContosoServicesClient/15.00.0424.000)
 client-request-id: 00000000-0000-0000-0000-000000000000
 Authorization: Bearer
 Host: contoso.com
 Content-Length: 1368
 Expect: 100-continue

The server responds with an HTTP 401 challenge that lists the security token issuers it trusts in the trusted_issuers field. An example of such a challenge is as follows.

 HTTP/1.1 401 Unauthorized
 Server: Fabrikam/7.5
 request-id: 443ce338-377a-4c16-b6bc-c169a75f7b00
 X-FEServer: XJSUI01CA101
 WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0001-0000-c000-000000000000@*"
 WWW-Authenticate: Basic Realm=""
 X-Powered-By: ASP.NET
 Date: Thu, 19 Apr 2012 17:04:16 GMT
 Content-Length: 0

In this example, the server determines that the value in the trusted_issuers field contains sufficient information for the client to locate the STS, so the server does not include a realm field.