Description: ------------ In HTTP_OAuth_Provider_Response::setStatus() when you set the status to 401 you should also, according to 14.47 in RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.47 , set a WWW-Authenticate header that indicates how to fulfill the challenge. Right now the only place such a header is set is if HTTP_OAuth_Provider_Response::setRealm() is called - but a realm is no requirement to present such a challenge. Perhaps the code should be refactored so that the WWW-Authenticate header is always set in HTTP_OAuth_Provider_Response::setStatus() and that HTTP_OAuth_Provider_Response::setRealm() only sets an internal variable.