HTTP 401 MUST return a WWW-Authenticate header

[danmarg]

We initially wrote here that the HTTP request that triggers a challenge/response should serve an HTTP 401 response code and a Sec-Session-Challenge header.

But per https://datatracker.ietf.org/doc/html/rfc2616#section-10.4.2, a 401 MUST return a WWW-Authenticate header.

Without having put any thought into this, I can see a few obvious options:

1. Add a new HTTP authentication method, and replace the Sec-Session-Challenge header with a WWW-Authenticate header.
2. Just return a different response code.

I see the point of doing (1) just to avoid violating the spec--(2) seems like a better choice for that. And I could see some value in reusing HTTP authentication if we think that the DBSC-style challenge/response authn will be useful on its own (and thus is worth fleshing out "standalone", without the whole refresh/session-management stuff).

But I am not sure the value there is worth trying to make this fit the existing HTTP authentication paradigm; option (2) thus seems better to me.

Curious to hear what others think! Should we just return a 403 instead?