Background
I am using mod_authnz_external for an authz that checks for anonymous access (no authenticated user). The auth flow that I would like to achieve is
- agent sends request
- authz checks for anonymous access
- if granted then deliver document
- when denied anonymous respond with 401 so that the agent knows to authenticate
- agent sends request with user credentials
- authn checks for
valid-user
- authz checks for access
- if granted then deliver document
- when denied respond with 403
Problem
Using GroupExternalAuthnCheck Off allows for the Authz to check for anonymous access, but then it forces all further denial responses to be 403. Ideally, not having an authenticated user should only be able to respond with 401 regardless of whether Authn is checked for or not.
Background
I am using mod_authnz_external for an authz that checks for anonymous access (no authenticated user). The auth flow that I would like to achieve is
valid-userProblem
Using
GroupExternalAuthnCheck Offallows for the Authz to check for anonymous access, but then it forces all further denial responses to be 403. Ideally, not having an authenticated user should only be able to respond with 401 regardless of whether Authn is checked for or not.