Skip to content

Commit 8c23de2

Browse files
waxlampwaxlamp
committed
Add documentation for new setting and behavior
1 parent 0a53bb0 commit 8c23de2

2 files changed

Lines changed: 8 additions & 1 deletion

File tree

docs/api-guide/authentication.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ When an unauthenticated request is denied permission there are two different err
8484
* [HTTP 401 Unauthorized][http401]
8585
* [HTTP 403 Permission Denied][http403]
8686

87-
HTTP 401 responses must always include a `WWW-Authenticate` header, that instructs the client how to authenticate. HTTP 403 responses do not include the `WWW-Authenticate` header.
87+
HTTP 401 responses must always include a `WWW-Authenticate` header, that instructs the client how to authenticate. The `www_authenticate_behavior` setting controls how the header is generated: if set to `'first'` (the default), then only the text for the first scheme in the list will be used; if set to `'all'`, then a comma-separated list of the text for all the schemes will be used (see [MDN WWW-Authenticate](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate) for more details). HTTP 403 responses do not include the `WWW-Authenticate` header.
8888

8989
The kind of response that will be used depends on the authentication scheme. Although multiple authentication schemes may be in use, only one scheme may be used to determine the type of response. **The first authentication class set on the view is used when determining the type of response**.
9090

docs/api-guide/settings.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -189,6 +189,13 @@ The class that should be used to initialize `request.auth` for unauthenticated r
189189

190190
Default: `None`
191191

192+
#### WWW_AUTHENTICATE_BEHAVIOR
193+
194+
Determines whether a single or multiple challenges are presented in the `WWW-Authenticate` header.
195+
196+
This should be set to `'first'` (the default value) or `'all'`. When set to `'first'`, the `WWW-Authenticate` header will be set to an appropriate challenge for the first authentication scheme in the list.
197+
When set to `'all'`, a comma-separated list of the challenge for all specified authentication schemes will be used instead (following the [syntax specification](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate)).
198+
192199
---
193200

194201
## Test settings

0 commit comments

Comments
 (0)