[net/auth] Don't abort network transaction over non-permanent auth errors.

net/http/http_auth_controller.cc

Index: net/http/http_auth_controller.cc
diff --git a/net/http/http_auth_controller.cc b/net/http/http_auth_controller.cc
index 15725b44b9f0dd8cf480d6fd0454c65194333cb5..b2cd4146832ec61ccbaebcfffe380987cb5a5c29 100644
--- a/net/http/http_auth_controller.cc
+++ b/net/http/http_auth_controller.cc
@@ -158,8 +158,7 @@ int HttpAuthController::MaybeGenerateAuthToken(
       credentials, request,
       base::Bind(&HttpAuthController::OnIOComplete, base::Unretained(this)),
       &auth_token_);
-  if (DisableOnAuthHandlerResult(rv))
-    rv = OK;
+  rv = HandleGenerateTokenResult(rv);
   if (rv == ERR_IO_PENDING)
     callback_ = callback;
   else
@@ -471,10 +470,21 @@ void HttpAuthController::PopulateAuthChallenge() {
   auth_info_->realm = handler_->realm();
 }
 
-bool HttpAuthController::DisableOnAuthHandlerResult(int result) {
+int HttpAuthController::HandleGenerateTokenResult(int result) {
   DCHECK(CalledOnValidThread());
-
   switch (result) {
+    case ERR_INVALID_AUTH_CREDENTIALS:
+      // If the GenerateAuthToken call fails with this error, this means that
+      // the handler can no longer be used. However, the authentication scheme
+      // is considered still usable. This allows a scheme that attempted and
+      // failed to use default credentials to recover and use explicit
+      // credentials.
+      //
+      // If the handler does not support any remaining identity sources, then
+      // the authentication controller will pick another authentication handler.
+      auth_token_.clear();
+      return OK;

[mmenke, 2016/10/04 19:42:14]

So this makes us send a new request, without a token, get a new challenge, and
start the process over from scratch?  What happens if the server hangs up on us
when we retry?

[asanka, 2016/10/06 14:16:35]

Either an error displayed to the user, or depending on when the socket was found
to be disconnected, we'll reconnect and proceed as if we saw a "Connection:
close". Although I think I'm misunderstanding the question?

+
     // Occurs with GSSAPI, if the user has not already logged in.
     case ERR_MISSING_AUTH_CREDENTIALS:

[mmenke, 2016/10/04 19:42:14]

We get ERR_INVALID_AUTH_CREDENTIALS instead of ERR_MISSING_AUTH_CREDENTIALS in
the case you describe, where we get credentials from the system for the first
round, but not for the second?

[asanka, 2016/10/06 14:16:35]

Initially we ask the system whether we can initiate an authentication handshake
with the target server. We'd see a ERR_MISSING_AUTH_CREDENTIALS trickle down the
system if the system believes we don't have credentials that can be used to
authenticate with the target.

ERR_INVALID_AUTH_CREDENTIALS is seen when the system attempts to use
credentials, but discovers that the credentials cannot be used with the target
partway through the handshake. The credentials aren't missing, they just were
not valid for use with the target.

 
@@ -494,17 +504,16 @@ bool HttpAuthController::DisableOnAuthHandlerResult(int result) {
       // succeed.
       DisableAuthScheme(handler_->auth_scheme());
       auth_token_.clear();
-      return true;
+      return OK;
 
     default:
-      return false;
+      return result;
   }
 }
 
 void HttpAuthController::OnIOComplete(int result) {
   DCHECK(CalledOnValidThread());
-  if (DisableOnAuthHandlerResult(result))
-    result = OK;
+  result = HandleGenerateTokenResult(result);
   if (!callback_.is_null()) {
     CompletionCallback c = callback_;
     callback_.Reset();