> -----Original Message----- > From: oauth-bounces at ietf.org [mailto:oauth-bounces at ietf.org] On Behalf > Of Manger, James H > Sent: Thursday, October 01, 2009 5:33 PM > I think that reasoning is wrong. Different "realm" values can indicate > different credential groups if necessary (username vs token) while > using the same scheme. > > RFC 2617 "HTTP Authentication" explicitly states: > "Note that there may be multiple challenges with the same auth-scheme > but > different realms." > > A server can quite legitimately return: > 401 Unauthenticated > WWW-Authentication: BASIC realm="User access" > WWW-Authentication: BASIC realm="Delegated app access" While it is an interesting idea, I think it is bad design. How is a client supposed to know what to do with this? What is the value of reusing Basic or Digest here? Digest has failed adoption and Basic provides practically zero value. I think this will cause confusion and problems with existing deployments with no real benefits. EHL
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.