Summary The auth client blindly follows the realm URL from the server's WWW-Authenticate: Bearer challenge header when exchanging credentials for tokens. A malicious or compromised registry can set ...