Because the client is required to return the value of the opaque
directive given to it by the server for the duration of a session,
the opaque data may be used to transport authentication session 
state information. (Note that any such use can also be 
accomplished more easily and safely by including the state in 
the nonce.) For example, a server could be responsible for 
authenticating content that actually sits on another server. It would 
achieve this by having the first 401 response include a domain directive 
whose value includes a URI on the second server, and an opaque directive 
whose value contains the state information. The client will retry the request,
at which time the server might respond with a 301/302 redirection,
pointing to the URI on the second server. The client will follow the
redirection, and pass an Authorization header , including the
<opaque> data.