On Mon, 2007-07-02 at 12:22 +0100, Alexey Melnikov wrote: > I don't think that the framework itself is broken. But one thing that > needs to clarified is that authentication exchange using a new > authentication mechanism X can use more than 1 roundtrip and use the > same HTTP header for each authentication step. Many existing > implementations are designed to expect data from the second round trip > in another header (like in Digest). My view on this: WWW-Authenticate is fine for 401. For additional information after successful (or failed) authentication and useful to verify the server identity or provide information to be used on the next authenticated request or other information about the outcome of the authentication request Authentication-Info is more suited, and it's presence should be declared as part of the framework and not just a by-product of Digest.. The format of Authentication-Info response header should be scheme specific, defined by the scheme used in the Authorization request header. Regards HenrikReceived on Monday, 2 July 2007 13:57:38 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:15 GMT