elasticmachine
commented
7 years ago Original comment by @javanna:
Relates to LINK REDACTED We want to stop returning exceptions headers as response headers (they are already printed out as part of the response body anyways). But we can only do it for now for es. headers, as exception headers are needed in security for e.g. WWW-Authenticate. Once we can return these response headers without using exception headers, we can completely remove returning them as response headers.
Original comment by @jaymode:
When thinking about custom realms, we differ from many common frameworks in that we use a specialized exception to indicate a request needs authentication or to issue redirects to external services.
We should consider other mechanisms to provide this functionality. One idea is to allow realms/authentication service to send a response to the channel. Additionally, a new status could be added to indicate if authentication was a failure, success, or is ongoing.
This comes into play when thinking about a GSSAPI scenario, where multiple rounds of communication can occur in the authentication and this could create lots of clutter in the audit logs.