Contradictory information on User-Interactive Authentication for the /register endpoint

[joepie91]

From here:

A request to an endpoint that uses User-Interactive Authentication never succeeds without auth. Homeservers may allow requests that don't require auth by offering a stage with only the m.login.dummy auth type, but they must still give a 401 response to requests with no auth data.

This can essentially be summarized as "any endpoint that supports UIA, must require that it is used in all cases".

However, this says:

This API endpoint uses the User-Interactive Authentication API.
[...]
auth: Additional authentication information for the user-interactive authentication API. Note that this information is not used to define how the registered user should be authenticated, but is instead used to authenticate the register call itself. It should be left empty, or omitted, unless an earlier call returned an response with status code 401.

... which suggests that it is optional for a client to engage in the UIA process, and that the server should be tolerant of that; and indeed, in version r0.0.0 of the specification, UIA is not present.

Both cannot be satisfied at the same time; either the server must strictly produce a 401 and demand UIA, or never produce any UIA-related responses (as the client is not permitted to attempt UIA unless it receives a 401).

Further, since the endpoint address is the same in both r0.4.0 and r0.0.0, a server that wants to support the latter would need to leave out the 401 responses.

Which is the correct thing to do here? Strictly requiring UIA would break clients that do not support it (if any of them still exist), but never requiring it would violate the specification.

[turt2live]

I think it's better to let go of the past: from a quick glance of the client space, it seems like they all support UIA, so might as well make that the standard.