Ian Hickson wrote:
RFC2617 states that "The realm directive (case-insensitive) is required
for all authentication schemes that issue a challenge."
I didn't really understand how the realm would work here, which is why I
didn't include it. Is this a case where we should violate RFC2617? (Note
that we're in a rather unusual case here because the challenge never gets a
reply in the traditional sense.)
Unless there's an ultra-important reason to violate any base
requirements, I would advise against it.
"They make no sense" is a pretty important reason. What would "realm" mean
in this context? Who would use it and how? How would you know what value
to set it to?
I don't see how the realm is different here, compared to, for instance,
Basic Auth.
If there is only a single realm, the simplest compliant approach seems
to define a single hardwired realm name.
BR, Julian
