WWW-Authenticate multiple auth-schemes?

[rchincha]

Currently, most registries return a single WWW-Authenticate header with a 401 during the initial authentication ping. However as per spec, multiple headers are allowed in the response. So in theory a client can pick and choose depending on how it is deployed.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate

[rchincha]

client(HEAD/GET) -> registry(/v2)
registry -> client

• WWW-Authenticate: Bearer
• WWW-Authenticate: Basic

So then,

clientA (Authorization: Basic) -> registry
clientB(Authorization: Bearer) -> registry