*     .build();
 * ```
 *
 * The proxy authenticator may implement preemptive authentication, reactive authentication, or
 * both.
 *
 * Applications may configure OkHttp with an authenticator for origin servers, or proxy servers,
 * or both.
 *
 * ## Authentication Retries
 *
 * If your authentication may be flaky and requires retries you should apply some policy

 * limitations under the License.
 */
package okhttp3.internal

import java.net.Authenticator
import java.net.PasswordAuthentication

class RecordingAuthenticator(
  private val authentication: PasswordAuthentication? =
    PasswordAuthentication(
      "username",
      "password".toCharArray(),
    ),
) : Authenticator() {
  val calls = mutableListOf<String>()

A single HTTP call may require follow-up requests to be made to handle authentication challenges, redirects, and HTTP-layer timeouts. In such cases multiple connections, requests, and responses may be attempted. Follow-ups are another reason a single call may trigger multiple events of the same type.

    .build();
OkHttpClient client = new OkHttpClient.Builder()
    .sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager())
    .build();
```

Client Authentication
---------------------

The above scenario is representative of most TLS set ups: the client uses certificates to validate
the identity of a server. The converse is also possible. Here we create a server that authenticates

import okhttp3.internal.commonToString

/**
 * An [RFC 7235][rfc_7235] challenge.
 *
 * [rfc_7235]: https://tools.ietf.org/html/rfc7235
 */
class Challenge(
  /** Returns the authentication scheme, like `Basic`. */
  @get:JvmName("scheme") val scheme: String,
  authParams: Map<String?, String>,
) {
  /**
   * Returns the auth params, including [realm] and [charset] if present, but as

 *
 * ### Server Authentication
 *
 * This is the most common form of TLS authentication: clients verify that servers are trusted and
 * that they own the hostnames that they represent. Server authentication is required.
 *
 * To perform server authentication:
 *
 *  * The server's handshake certificates must have a [held certificate][HeldCertificate] (a

 *
 *  * A DNS lookup failed
 *  * The configuration is incapable of carrying the request, such as when the client is configured
 *    to use `H2_PRIOR_KNOWLEDGE` but the URL's scheme is `https:`.
 *  * Preemptive proxy authentication failed.
 *
 * Planning failures are not necessarily fatal. For example, even if we can't DNS lookup the first
 * proxy in a list, looking up a subsequent one may succeed.
 */

 *
 * As policy, implementations of this interface are responsible for selecting which cookies to
 * accept and which to reject. A reasonable policy is to reject all cookies, though that may
 * interfere with session-based authentication schemes that require cookies.
 *
 * As persistence, implementations of this interface must also provide storage of cookies. Simple
 * implementations may store cookies in memory; sophisticated ones may use the file system or

          System.out.println("Response 2 succeeded: " + response);
        } catch (IOException e) {
          System.out.println("Response 2 failed: " + e);
        }
      }
    ```

### Handling authentication ([.kt][AuthenticateKotlin], [.java][AuthenticateJava])

    }
    ```

 *  New: `MediaType.parameter()` gets a parameter like `boundary` from a media type like
    `multipart/mixed; boundary="abc"`.

 *  New: `Authenticator.JAVA_NET_AUTHENTICATOR` forwards authentication requests to
    `java.net.Authenticator`. This obsoletes `JavaNetAuthenticator` in the `okhttp-urlconnection`
    module.

 *  New: `CertificatePinner` now offers an API for inspecting the configured pins.