Hi Alex, Beside the issue recently fixed that required an AuthenticatorHelper in this case (now fixed), the terminology choice that was made is coming from the HTTP Authentication RFC: http://www.ietf.org/rfc/rfc2617.txt
It clearly talks about: "HTTP provides a simple challenge-response authentication mechanism that MAY be used by a server to challenge a client request and by a client to provide authentication information." In your case, what happens is called "preemptive authentication" where you send the response without waiting for the challenge request. Hope this clarifies! Best regards, Jerome -- http://www.restlet.org http://twitter.com/#!/jlouvel -----Message d'origine----- De : [email protected] [mailto:[email protected]] De la part de Alex Milowski Envoyé : jeudi 20 octobre 2011 02:39 À : [email protected] Objet : Authorization Header vs. ChallengeResponse I keep finding the choice of "ChallengeResponse" for the Authorization header a poor match. If you look at some of the OAuth specifications, you see uses like the "Bearer" credential [1] where the Authorization header contains an access token. There is no regular match between a "ChallengeRequest" and a "ChallengeResponse". It makes it even further of a miss match when you need to construct an Authorization header with an access token. You end up doing something like: ChallengeResponse token = new ChallengeResponse(new ChallengeScheme("HTTP_Bearer","Bearer")); token.setRawValue(accessToken); and that feels wrong as it isn't a response to anything. Also, when proxying requests (or passing them internally via RIAP requests), you then need to make special cases to check for Authorization headers as decoded into ChallengeRequest instances. ...just a bit a feedback. I'm not quite sure what I would do about this right now. [1] http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-10 --Alex Milowski ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=28591 40 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2869073
