2006/07/13

REST and the Authorization: Header

Talking to lots of people about identity, mashups, web services, and sustainability of the mashup ecology today at Mashup Camp.  I'm wondering why LID apparently is using a new X- header for passing pointers to authentication information rather than re-using the existing extensible Authorization: header.  Both GData and Amazon Web Services  allow Authorization: as at least one option in their REST interfaces:

Authorization: GoogleLogin auth ...
Authorization: AWS ...

I know that GData uses 401 Unauthorized and WWW-Authenticate: challenge headers and I'm going to assume that AWS does too:

WWW-Authenticate: AuthSub realm="https://www.google.com/accounts/AuthSubRequest" 

So, existing services are using the RFC 2617 framework; it's working for them; why not build on top of that instead of inventing new headers?