Both authentication flows have their advantages and limitations.
The table below illustrates what are the strengths of each authentication flow:
Topic | Authentication flow One-Shot | Authentication flow Redirect | Note |
Unauthenticated POST requests | The browser directly receives a 401 response and knows that data is not processed. The browser re-sends the data after acquiring the Kerberos ticket. No data is lost. | The browser receives a redirect and thinks the data is processed (but is not). Data is lost. | POST requests contain data the client wants to send to the server. The kind and amount of data differ depending on the web application. For a ticketing web application that could be a comment of a ticket. An unauthenticated POST request could occur if an user start do make a comment in a ticketing system, go for lunch, the session times out and after lunch the user want to submit his comment. |
Multi-Factor Authentication | Only client certificate can be used as 2nd factor. | All 2nd factors are possible. | |
Other Self-Services or intermediate pages | No interactive elements possible. | Possibility to add Terms of Services, Credential Migrations or other self-services before the user is finally redirected to the target application. |