Document webauth fallback when REST API for profile download is used

This add a way to signal that webauth needs to be used when a client
erroursnly uses REST to try to download a profile.

Signed-off-by: Arne Schwabe <arne@openvpn.net>

doc/webauth.md

@@ -177,6 +177,7 @@ The flags are also comma separated values. Currently, the followings flag that a
     * hidden-webview   Starts the webview in hidden mode. See the web auth section for more details
     * external         Indicates that an internal webivew should NOT be used but instead a normal
                        browser is to be used.
+    * internal         Indicates that the internal webview should be used if possible 
 
 In general websites should also report ovpn-webauth without `embedded=true` parameter to allow
 clients without internal browser support to craft a url to open in an external browser that
@@ -329,6 +330,24 @@ User is not enrolled through the WEB client yet:
       <Message>You must enroll this user in Authenticator first before you are allowed to retrieve a connection profile. (9008)</Message>
     </Error>
 
+Webauth fallback
+----------------
+This is used when the server is configured to use username/password as general
+authentication method but some users are setup to used the web based 
+authentication method. Should a user that requires web based try to authenticate
+instead it will report an error:
+
+    <Error>
+      <Type>Authorization Required</Type>
+      <Synopsis>REST method failed</Synopsis>
+      <Message>Ovpn-WebAuth: providername,flags</Message>
+    </Error>
+
+The format and meaning of the Ovpn-WebAuth is identical to the one used in the
+detection of web based profile download. If the client encounters this error it
+should offer the user to continue to the import using the web based profile
+download method.
+
 Challenge/response authentication
 ---------------------------------
 The challenge/response protocol for the Rest web api mirrors the approach