Description
Description
When SocketsHttpHandler is configured to use CredentialCache.DefaultCredentials (i.e. SystemNetworkCredential), it will automatically retry with a useless "Authorization" header in response to WWW-Authenticate challenges. The content of the header is Og== (base-64 encoded colon character), meaning empty username and empty password.
The code in AuthenticationHelper that adds a "no username / no password" header ^
The auto-retry request seen in Fiddler ^
Reproduction Steps
using System.Net;
var handler = new SocketsHttpHandler();
handler.Credentials = CredentialCache.DefaultCredentials;
using var invoker = new HttpMessageInvoker(handler);
var request = new HttpRequestMessage(HttpMethod.Get, "https://www.geoportal.ch/services/wms/benken/wasserkorporation_benken/authenticate?service=WMS&request=GetCapabilities");
var response = await invoker.SendAsync(request, CancellationToken.None); // This causes 2 requests instead of 1Expected behavior
SystemNetworkCredential should be special-cased when challenged for Basic and Digest authentication, because it only has meaning for NTLM and Negotiate. Only 1 request should be made and the original 401 response returned.
Actual behavior
An extra request is made. This request is unexpected and has no chance of succeeding. Response for the original (authorization-free) request is lost, and only the second response is returned -- which complicates working with some services that return a different response depending on whether or not request included "Authorization" header at all.
Regression?
The issue is not present in other HttpMessageHandler implementations, such as WebRequestHandler (.NET Framework) or HttpClientHandler (UWP). I am not sure if it was present in previous versions of dotnet core.
Known Workarounds
No response
Configuration
My repro targets net8.0-windows10.0.19041, runs on .NET 8.0.13, and is built with VS 17.13.2
Other information
No response
Activity