ssn.removeAttribute("NtlmHttpAuth");
                    }
                }
                resp.setHeader("WWW-Authenticate", "NTLM");
                if ( offerBasic ) {
                    resp.addHeader("WWW-Authenticate", "Basic realm=\"" + this.realm + "\"");
                }
                resp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

        code = 401,
        headers = headersOf("WWW-Authenticate", "Basic realm=\"protected area\""),
        body = "Please authenticate.",
      ),
    )
    server.enqueue(
      MockResponse(body = "Authenticated!"),
    )
    java.net.Authenticator.setDefault(RecordingAuthenticator())
    client =
      client.newBuilder()
        .authenticator(JavaNetAuthenticator())
        .build()

    response = client.get(
        "/users/me", headers={"Authorization": "Basic notabase64token"}
    )
    assert response.status_code == 401, response.text
    assert response.headers["WWW-Authenticate"] == "Basic"
    assert response.json() == {"detail": "Invalid authentication credentials"}


def test_security_http_basic_non_basic_credentials():
    payload = b64encode(b"johnsecret").decode("ascii")

 * token68:
 *
 * ```
 * WWW-Authenticate: Digest foo=bar
 * WWW-Authenticate: Digest foo=
 * ```
 *
 * Similarly, the first line has one challenge and the second line has two challenges:
 *
 * ```
 * WWW-Authenticate: Digest ,foo=bar
 * WWW-Authenticate: Digest ,foo
 * ```
 */
fun Headers.parseChallenges(headerName: String): List<Challenge> {

public final class okhttp3/JavaNetAuthenticator : okhttp3/Authenticator {
	public fun <init> ()V
	public fun authenticate (Lokhttp3/Route;Lokhttp3/Response;)Lokhttp3/Request;
}

public final class okhttp3/JavaNetCookieJar : okhttp3/CookieJar {
	public fun <init> (Ljava/net/CookieHandler;)V
	public fun loadForRequest (Lokhttp3/HttpUrl;)Ljava/util/List;
	public fun saveFromResponse (Lokhttp3/HttpUrl;Ljava/util/List;)V

message TokenReviewStatus {
  // Authenticated indicates that the token was associated with a known user.
  // +optional
  optional bool authenticated = 1;

  // User is the UserInfo associated with the provided token.
  // +optional
  optional UserInfo user = 2;

  // Audiences are audience identifiers chosen by the authenticator that are

 *    certificate is not included in this chain.
 *  * The client's handshake certificates must include a set of trusted root certificates. They will
 *    be used to authenticate the server's certificate chain. Typically this is a set of well-known
 *    root certificates that is distributed with the HTTP client or its platform. It may be
 *    augmented by certificates private to an organization or service.

{!> ../../docs_src/security/tutorial003.py!}
```

////

/// info

The additional header `WWW-Authenticate` with value `Bearer` we are returning here is also part of the spec.

Any HTTP (error) status code 401 "UNAUTHORIZED" is supposed to also return a `WWW-Authenticate` header.

In the case of bearer tokens (our case), the value of that header should be `Bearer`.

    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username: str = payload.get("sub")
        if username is None:
            raise credentials_exception

async def get_current_user(token: str = Depends(oauth2_scheme)):
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username: str = payload.get("sub")
        if username is None:
            raise credentials_exception