That scenario is covered in the last paragraph of the answer; if it’s a request to obtain an access token according to OAuth2 then you should check the core OAuth2 RFC so that the responses comply with the spec. If it’s something custom then the response is possibly something doing also something custom, but if it’s an endpoint that requires username/password authentication then the challenge should probably be associated with the HTTP basic authentication scheme.