opaque parameter in the Authorization request header


I have a question regarding RFC 2617 (HTTP Authentication). Please, 
forgive me if it is not the right list for such questions.
In RFC 2617 para 3.2.2 it is saying that: "The values of the opaque and 
algorithm fields must be those supplied in the WWW-Authenticate response 
header for the entity being requested". Does it mean that "opaque" field 
is mandatory in the "Authorization" header in the case it was present in 
the "WWW-Authenticate" header?

Currently I'm a spectator of a situation when a client doesn't include 
an "opaque" field in the "Authorization" header and a server replies 
with 400 "Authorization should contain opaque". Actually, I don't know 
who is right: a client or a server?


Evgeniy Khramtsov, ProcessOne.

Received on Wednesday, 13 August 2008 08:58:09 UTC