There are at least two places in our code where we extract security credentials that, if not found, we just fail (since the required security policies have not been met). Instead, we should be able to "challenge" the client. These two places are HTTP Basic and HTTP Digest authentication. It's especially important for the latter, as we need to be able to send back a "nonce" to be checked in a future interaction.
This work is split into three pieces: 1.General mechanism in our core security code for challenges. 2. Support for the challenge mechanism in any gateway bindings that we deem should support this capability. 3. Invoke the mechanism from the proper credential extractors (ie: AuthorizationHeaderCredentialExtractor).