(By which I mean there's no support in the *password* flow for it. If you punt authentication out to the container/web server and use the RemoteUser flow, then you can do whatever you want and get a 401 challenge out of that layer.) -- Scott