From 57ea50a666db96ad0c992b5b7a36ec6556392fba Mon Sep 17 00:00:00 2001
From: Sravan Garikipati <garikipa@deshaw.com>
Date: Thu, 21 Aug 2025 11:10:22 -0400
Subject: [PATCH 1/2] Auth:Preserve WWW-Authenticate for SPNEGO with satisfy
 any

Updates the header-filtering logic used with `satisfy any` so that
NGINX does not drop `WWW-Authenticate` iff it contains a
SPNEGO mutual-auth token. In other words, we skip setting the
header hash to zero for this specific case.

Why:
- Existing behavior assumes WWW-Authenticate only appears on 401 challenges.
- In SPNEGO mutual auth, the server must return a final token to the client
in WWW-Authenticate on a successful response.
- Dropping this header prevents clients from verifying the server and
completing the handshake.
---
 src/http/ngx_http_core_module.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index c75ddb849..ee7c5fb43 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1138,7 +1138,17 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
             r->access_code = 0;
 
             for (h = r->headers_out.www_authenticate; h; h = h->next) {
-                h->hash = 0;
+                // WWW-Authenticate response header is also used to send the
+                // servers Mutual authentication token to client as response to
+                // a request with authentication token. Ref: RFC 4559
+
+                // Below check skips invalidating the header iff it is a
+                // GSSAPI Mutual authentication token.
+                if (ngx_strncmp(h->value.data, "Negotiate ",
+                                ngx_strlen("Negotiate ")) != 0)
+                {
+                    h->hash = 0;
+                }
             }
 
             r->phase_handler = ph->next;

From 688d4996fe596348a7471d6e95e9b670498a7560 Mon Sep 17 00:00:00 2001
From: Sravan Garikipati <garikipa@deshaw.com>
Date: Fri, 22 Aug 2025 02:12:30 -0400
Subject: [PATCH 2/2] Improve comment wording

---
 src/http/ngx_http_core_module.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index ee7c5fb43..3760014a1 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1143,7 +1143,7 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
                 // a request with authentication token. Ref: RFC 4559
 
                 // Below check skips invalidating the header iff it is a
-                // GSSAPI Mutual authentication token.
+                // SPNEGO Mutual authentication token.
                 if (ngx_strncmp(h->value.data, "Negotiate ",
                                 ngx_strlen("Negotiate ")) != 0)
                 {