Elytron SPNEGO "continuation required" situation ------------------------------------------------ Key: ELY-693 URL: https://issues.jboss.org/browse/ELY-693 Project: WildFly Elytron Issue Type: Bug Components: Authentication Mechanisms Reporter: Jan Kalina Assignee: Jan Kalina Priority: Critical I have problem to achieve this scenario with elytron: # Client sends non kerberos OID mechanism as most preferred with non kerberos ticket # Server response with "continuation required" # Client sends kerberos ticket # Server response with 401 instead of 200 Actually, it is scenario tested in [1]. It worked correctly in EAP 7.0 . Also works with elytron when client sends non-kerberos OID mechanism with kerberos ticket. Problem as I see is that SpnegoAuthenticationMechanism: # Creates {{gssContext}} with first provided ticket (non-kerberos) and sends "continuation required" # Client provide proper kerberos ticket, but that anyway leads to 401 bare challenge, because {{gssContext}} was already created in first step and is not tried to make again. Setting to critical as it behaves differently compared to EAP 7.0 and IMHO it doesn't comply to spec [2]. Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that. [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d... [2] https://tools.ietf.org/html/rfc4178