import okhttp3.Request;
import okhttp3.Response;

public final class Authenticate {
  private final OkHttpClient client;

  public Authenticate() {
    client = new OkHttpClient.Builder()
        .authenticator((route, response) -> {
          if (response.request().header("Authorization") != null) {
            return null; // Give up, we've already attempted to authenticate.
          }

import java.io.IOException
import okhttp3.Authenticator
import okhttp3.Credentials
import okhttp3.OkHttpClient
import okhttp3.Request
import okhttp3.Response
import okhttp3.Route

class Authenticate {
  private val client =
    OkHttpClient
      .Builder()
      .authenticator(
        object : Authenticator {
          @Throws(IOException::class)
          override fun authenticate(
            route: Route?,

   */
  @Throws(IOException::class)
  fun authenticate(
    route: Route?,
    response: Response,
  ): Request?

  companion object {
    /** An authenticator that knows no credentials and makes no attempt to authenticate. */
    @JvmField
    val NONE: Authenticator = AuthenticatorNone()

    private class AuthenticatorNone : Authenticator {
      override fun authenticate(
        route: Route?,

     */
    /**
     * Calls the static {@link #authenticate(HttpServletRequest,
     * HttpServletResponse, byte[])} method to perform NTLM authentication
     * for the specified servlet request.
     *
     * @param req The request being serviced.
     * @param resp The response.
     * @param challenge The domain controller challenge.
     * @return the authenticated NtlmPasswordAuthentication object

        .protocol(HTTP_2)
        .message("Unauthorized")
        .build()
    val authRequest = authenticator.authenticate(route, response)

    assertEquals(
      "Basic ${RecordingAuthenticator.BASE_64_CREDENTIALS}",
      authRequest!!.header("Authorization"),
    )
  }

  @Test
  fun noSupportForNonBasicAuth() {
    val request =
      Request
        .Builder()

            }
            try {
                SmbSession.logon(dc, ntlm);
            } catch (final SmbAuthException sae) {
                response.setHeader("WWW-Authenticate", "NTLM");
                if (offerBasic) {
                    response.addHeader("WWW-Authenticate", "Basic realm=\"" + realm + "\"");
                }
                response.setHeader("Connection", "close");

class JavaNetAuthenticator : Authenticator {
  @Throws(IOException::class)
  override fun authenticate(
    route: Route?,
    response: Response,
  ): Request? = JAVA_NET_AUTHENTICATOR.authenticate(route, response)

@Deprecated
public class NtlmSsp implements NtlmFlags {

    /**
     * Default constructor.
     */
    public NtlmSsp() {
        // Default constructor
    }

    /**
     * Calls the static {@link #authenticate(CIFSContext, HttpServletRequest,
     * HttpServletResponse, byte[])} method to perform NTLM authentication
     * for the specified servlet request.
     *
     * @param tc the CIFS context to use
     *

public final class okhttp3/JavaNetAuthenticator : okhttp3/Authenticator {
	public fun <init> ()V
	public fun authenticate (Lokhttp3/Route;Lokhttp3/Response;)Lokhttp3/Request;
}

public final class okhttp3/JavaNetCookieJar : okhttp3/CookieJar {
	public fun <init> (Ljava/net/CookieHandler;)V
	public fun loadForRequest (Lokhttp3/HttpUrl;)Ljava/util/List;
	public fun saveFromResponse (Lokhttp3/HttpUrl;Ljava/util/List;)V

{* ../../docs_src/security/tutorial003_an_py310.py hl[58:66,69:74,94] *}

/// info

The additional header `WWW-Authenticate` with value `Bearer` we are returning here is also part of the spec.

Any HTTP (error) status code 401 "UNAUTHORIZED" is supposed to also return a `WWW-Authenticate` header.