Chris McDonough <> added the comment:

Form plugins will be deprecated for common use in the next release of r.who,
FWIW.  It's much easier to tell people to return a login form as their
"unauthorized" response rather than trying to "challenge" based on a 401
response from the application and do arbitrary things to pass through reasons
for failure and so on.

But for the record, the RedirectingFormPlugin currently has such a facility
(albeit undocumented but in CHANGES.txt): if the unauthorized response contains
a header named X-Authentication-Failure-Reason, that will cause the redirect to
the login form to contain a "reason" query string parameter will the value  of
that header.

status: unread -> resolved

Repoze Bugs <>
Repoze-dev mailing list

Reply via email to