One-shot vs. redirect flow

Both authentication flows have their advantages and limitations.

The table below illustrates what are the strengths of each authentication flow:

Authentication flow
Authentication flow
Unauthenticated POST requests
The browser directly receives a 401 response and knows that data is not processed.
The browser re-sends the data after acquiring the Kerberos ticket.
No data is lost.
The browser receives a redirect and thinks the data is processed (but is not).
Data is lost.
POST requests contain data the client wants to send to the server.
The kind and amount of data differ depending on the web application.
For a ticketing web application that could be a comment of a ticket.
An unauthenticated POST request could occur if an user start do make a comment in a ticketing system, go for lunch, the session times out and after lunch the user want to submit his comment.
Multi-Factor Authentication
Only client certificate can be used as 2nd factor.
All 2nd factors are possible.
Other Self-Services or intermediate pages
No interactive elements possible.
Possibility to add Terms of Services, Credential Migrations or other self-services before the user is finally redirected to the target application.