I keep finding the choice of "ChallengeResponse" for the Authorization header a poor match. If you look at some of the OAuth specifications, you see uses like the "Bearer" credential [1] where the Authorization header contains an access token. There is no regular match between a "ChallengeRequest" and a "ChallengeResponse". It makes it even further of a miss match when you need to construct an Authorization header with an access token. You end up doing something like:
ChallengeResponse token = new ChallengeResponse(new ChallengeScheme("HTTP_Bearer","Bearer")); token.setRawValue(accessToken); and that feels wrong as it isn't a response to anything. Also, when proxying requests (or passing them internally via RIAP requests), you then need to make special cases to check for Authorization headers as decoded into ChallengeRequest instances. ...just a bit a feedback. I'm not quite sure what I would do about this right now. [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-10 --Alex Milowski ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2859140