Authentication challenges in successful HTTP responses [foaf-dev]

Etan Wexler ewexler at
Tue Jan 22 19:47:57 GMT 2008

Lukas Rosenstock wrote to the FOAF developers’ list (see 
<>) on 2008-01-13 
in “AW: [foaf-dev] for more information please log in” 

> It's not FOAF-specific, it could be applied to, let's say RSS-feeds of an
> online journal that has private postings, too. HTTP Basic Authorization or
> OAuth could be used for this, but the only way the client knows that he can
> authorize for this document is sending a "401". There should be something in
> HTTP, a header that states "additional content available on authorization".
> Any thoughts on this?

Where is the specification that limits authentication challenges to
responses whose Status-Code is “401”? I believe that there is no such
specification. In the absence of such a specification, the use of
authentication challenges is perfectly legitimate in any response,
including a response whose Status-Code is “200”.

I gave an example of that use in “Authentication and authorization as 
influences on the content of responses [foaf-dev]” 

Etan Wexler.

More information about the foaf-dev mailing list