4.6 Realm Autodiscovery Through HTTP 401 Challenge
In this example, the client tries to access a resource on a server. It also tries to use realm autodiscovery by including an empty Bearer authorization header in its request. An example of such a request is as follows.
POST https://contoso.com/autodiscover/autodiscover.svc HTTP/1.1 Content-Type: text/xml; charset=utf-8 Accept: text/xml User-Agent: Test/1.0 (ContosoServicesClient/15.00.0424.000) client-request-id: 00000000-0000-0000-0000-000000000000 Authorization: Bearer Host: contoso.com Content-Length: 1368 Expect: 100-continue
The server responds with an HTTP 401 challenge that lists the security token issuers it trusts in the trusted_issuers field. An example of such a challenge is as follows.
HTTP/1.1 401 Unauthorized Server: Fabrikam/7.5 request-id: 443ce338-377a-4c16-b6bc-c169a75f7b00 X-FEServer: XJSUI01CA101 WWW-Authenticate: Bearer client_id="00000002-0000-0ff1-ce00-000000000000", trusted_issuers="00000001-0001-0000-c000-000000000000@*" WWW-Authenticate: Basic Realm="" X-Powered-By: ASP.NET Date: Thu, 19 Apr 2012 17:04:16 GMT Content-Length: 0
In this example, the server determines that the value in the trusted_issuers field contains sufficient information for the client to locate the STS, so the server does not include a realm field.