Elytron SPNEGO: missing negstat field in the first reply -------------------------------------------------------- Key: WFLY-7397 URL: https://issues.jboss.org/browse/WFLY-7397 Project: WildFly Issue Type: Bug Components: Security Affects Versions: 11.0.0.Alpha1 Reporter: Martin Choma Basically Elytron clone of JBEAP-4114. When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the {{WWW-Authenticate}} HTTP header with SPNEGO response {{negTokenResp[ negState = reject ]}}. As stated in [SPNEGO specification|https://tools.ietf.org/html/rfc4178#section-4.2.2] negstat is required in first reply: {code:borderStyle=dashed} negState ... This field is REQUIRED in the first reply from the target, and is OPTIONAL thereafter. When negState is absent, the actual state should be inferred from the state of the negotiated mechanism context. {code} https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d... testInvalidKerberosSpnegoWorkflow.