On Mon, 2007-07-02 at 12:22 +0100, Alexey Melnikov wrote:
> I don't think that the framework itself is broken. But one thing that
> needs to clarified is that authentication exchange using a new
> authentication mechanism X can use more than 1 roundtrip and use the
> same HTTP header for each authentication step. Many existing
> implementations are designed to expect data from the second round trip
> in another header (like in Digest).
My view on this:
WWW-Authenticate is fine for 401. For additional information after
successful (or failed) authentication and useful to verify the server
identity or provide information to be used on the next authenticated
request or other information about the outcome of the authentication
request Authentication-Info is more suited, and it's presence should be
declared as part of the framework and not just a by-product of Digest..
The format of Authentication-Info response header should be scheme
specific, defined by the scheme used in the Authorization request
header.
Regards
Henrik