Rectangle 27 0

HTTP Response Code for Proxy Authorization Failure?


If the origin server does not wish to accept the credentials sent
with a request, it SHOULD return a 401 (Unauthorized) response. The
response MUST include a WWW-Authenticate header field containing at
least one (possibly new) challenge applicable to the requested
resource. If a proxy does not accept the credentials sent with a
request, it SHOULD return a 407 (Proxy Authentication Required). The
response MUST include a Proxy-Authenticate header field containing a
(possibly new) challenge applicable to the proxy for the requested
resource.

According to spec - yes, but I don't work with wide range of web/application servers and proxies to provide example of exception from rule...

So, when a client gets a 401 response, can it always assume it is an auth failure on the origin server? Likewise, if it gets a 407, can it always assume it is from a proxy?

Note
Rectangle 27 0

HTTP Response Code for Proxy Authorization Failure?


Request URL:https://mysite.com/myresource/
Request Method:GET
Status Code:401 Authorization Required

Request Headers

Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Authorization:Digest username="gjggj", realm="apps", nonce="75602afa895d26f9796f3c9174cf83f3", uri="/misc/apps/", algorithm=MD5, response="9e113b10d3e95b590bdef0fc7c7c617b", qop=auth, nc=00000001, cnonce="61f73b73f6b33ea2"
Cache-Control:max-age=0
Connection:keep-alive
Host:game-point.net
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17

Response Headers

Cache-Control:no-cache
Connection:close
Content-Length:534
Content-Type:text/html
Date:Wed, 13 Feb 2013 11:07:26 GMT
Pragma:no-cache
Server:Cherokee/1.0.8 (Debian GNU/Linux)
WWW-Authenticate:Digest realm="apps", nonce="75602afa895d26f9796f3c9174cf83f3", qop="auth", algorithm="MD5"

So I'd say the way to deal with a 407 authorization failure is for the server to respond with a 407 status code despite the fact that the browser has sent authorization information; this shows that the authorization is still needed with the proxy, and implies that there was an authorization failure simply because you're still getting a 407 status code.

Well, if there is an authorization failure for a 401-protected resource, the server simply responds with another 401:

Yes. This answers all the questions. Thanks!

Note