Details
-
Suggestion
-
Resolution: Unresolved
-
Not Evaluated
-
None
-
None
Description
Background
A customer wants to implement IWA authentication. Their server supports both Kerberos and NTLM.
When connecting, the server replies twice, corresponding to QNetworkAccessManager::authenticationRequired() being emitted twice.
- The first reply contains both of these headers (as observed via a network traffic sniffer):
- WWW-Authenticate: Negotiate
- WWW-Authenticate: NTLM
- And then, if we don't provide a username to QAuthenticator the first time, another reply comes with a smaller set of www-authenticate header values:
- WWW-Authenticate: NTLM
Use-case
The customer wants to use NTLM, while opting-out of NTLM's auto-login mechanism (seee QTBUG-133780). In other words, they want to ignore the first authenticationRequired() signal and provide the username + password at the second authenticationRequired() signal. instead (the second reply). To do this, they need to be able to check the QNetworkReply headers for the presence or absence of WWW-Authenticate: Negotiate
Current problem
Inside the QNetworkAccessManager::authenticationRequired() signal handler, the QNetworkReply does not contain any QHttpHeaders::WellKnownHeader::WWWAuthenticate headers (or any other headers, for that matter). Thus, the use-case cannot be easily achieved.
The headers eventually arrive, and we are notified via the QNetworkReply::metaDataChanged() signal. However, this occurs some time after QNetworkAccessManager::authenticationRequired() which is too late.
Suggestion/Request
Would it be possible to ensure that the WWW-Authenticate header(s) are made available before QNetworkAccessManager::authenticationRequired() is emitted?
Attachments
Issue Links
- relates to
-
-
- Reported
-