The server drives the authentication by telling the client which
authentication methods can be used to continue the exchange at any
given time. The client has the freedom to try the methods listed by
the server in any order. This gives the server complete control over
the authentication process if desired, but also gives enough
flexibility for the client to use the methods it supports or that are
most convenient for the user, when multiple methods are offered by
the server.