On Mon, 2007-07-02 at 12:22 +0100, Alexey Melnikov wrote: > I don't think that the framework itself is broken. But one thing that > needs to clarified is that authentication exchange using a new > authentication mechanism X can use more than 1 roundtrip and use the > same HTTP header for each authentication step. Many existing > implementations are designed to expect data from the second round trip > in another header (like in Digest). My view on this: WWW-Authenticate is fine for 401. For additional information after successful (or failed) authentication and useful to verify the server identity or provide information to be used on the next authenticated request or other information about the outcome of the authentication request Authentication-Info is more suited, and it's presence should be declared as part of the framework and not just a by-product of Digest.. The format of Authentication-Info response header should be scheme specific, defined by the scheme used in the Authorization request header. Regards Henrik
Received on Monday, 2 July 2007 13:57:38 UTC