I keep finding the choice of "ChallengeResponse" for the Authorization
header a poor match. If you look at some of the OAuth specifications,
you see uses like the "Bearer" credential [1] where the Authorization
header contains an access token. There is no regular match between a
"ChallengeRequest" and a "ChallengeResponse". It makes it even
further of a miss match when you need to construct an Authorization
header with an access token. You end up doing something like:
ChallengeResponse token = new ChallengeResponse(new
ChallengeScheme("HTTP_Bearer","Bearer"));
token.setRawValue(accessToken);
and that feels wrong as it isn't a response to anything.
Also, when proxying requests (or passing them internally via RIAP
requests), you then need to make special cases to check for
Authorization headers as decoded into ChallengeRequest instances.
...just a bit a feedback. I'm not quite sure what I would do about
this right now.
[1] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-10
--Alex Milowski
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2859140
