According to RFC, duplicate http headers are not allowed:
However, multiple headers can be appended as a comma separated list for one single header section. This is also true for multiple challenges in Www-Authenticate with a 401 Unauthorized response:
We should support multiple challenges case and figure out which one is the strongest auth-scheme that we should go with.
A simple proposal might be selecting an auth-scheme by defining a priority, e.g.,
For sure, more discussion is needed.