In negotiator.go when the Www-Authenticate header does not advertise Basic Auth Basic Auth is still tried when neither party want it.
I'm happy to put something in for this as it would be trivial.
I think Basic Auth should only ever be tried whenever it is advertised in this header as being acceptable as when it isn't advertised it will just be another request to a server which doesn't support it anyway so it's just delaying the inevitable.
In negotiator.go when the Www-Authenticate header does not advertise Basic Auth Basic Auth is still tried when neither party want it.
I'm happy to put something in for this as it would be trivial.
I think Basic Auth should only ever be tried whenever it is advertised in this header as being acceptable as when it isn't advertised it will just be another request to a server which doesn't support it anyway so it's just delaying the inevitable.