Digest challenge - domain fails with empty string

[gao-artur]

The issue is similar to #32943 but this time about domain key. For example:

www-authenticate: Digest realm="MMS Public API", domain="", nonce="NA42+vpOFQd1GwCyVRZuhhy+jDn4BMRl", algorithm=MD5, qop="auth", stale=false

will fail with error Nonce missing

RFC7616 explicitly says domain can be empty

If this parameter is
omitted or its value is empty, the client SHOULD assume that the
protection space consists of all URIs on the web-origin.

[ghost]

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

---

The issue is similar to #32943 but this time about domain key. For example:

www-authenticate: Digest realm="MMS Public API", domain="", nonce="NA42+vpOFQd1GwCyVRZuhhy+jDn4BMRl", algorithm=MD5, qop="auth", stale=false

will fail with error Nonce missing

RFC7616 explicitly says domain can be empty

If this parameter is
omitted or its value is empty, the client SHOULD assume that the
protection space consists of all URIs on the web-origin.

Author:	gao-artur
Assignees:	-
Labels:	area-System.Net, untriaged
Milestone:	-

[wfurt]

yes, the empty domain does seems like the culprit. I think it make sense to treat empty domain as missing.

[gao-artur]

@wfurt thanks for confirming!
Just want to add that this issue is critical for users of .Net 5 and Atlas MongoDB. In .Net Core 3.1 it was possible to workaround this with AppContext.SetSwitch("System.Net.Http.UseSocketsHttpHandler", false); but it doesn't work anymore in .Net 5.

[wfurt]

Yah, old handler is gone. I wish it was brought up when found broken with 3.1 instead of using the workaround.

[wfurt]

Could you verify the fix with 6.0 @gao-artur when the build gets out? (https://github.com/dotnet/installer)

[gao-artur]

@wfurt which version should I use? I have installed 6.0.100-preview.4.21179.16, but the issue still persist:

>dotnet --list-sdks
1.0.4 [C:\Program Files\dotnet\sdk]
2.1.202 [C:\Program Files\dotnet\sdk]
2.1.508 [C:\Program Files\dotnet\sdk]
2.1.509 [C:\Program Files\dotnet\sdk]
2.1.513 [C:\Program Files\dotnet\sdk]
2.2.109 [C:\Program Files\dotnet\sdk]
2.2.207 [C:\Program Files\dotnet\sdk]
2.2.402 [C:\Program Files\dotnet\sdk]
3.1.100 [C:\Program Files\dotnet\sdk]
3.1.401 [C:\Program Files\dotnet\sdk]
5.0.201 [C:\Program Files\dotnet\sdk]
6.0.100-preview.4.21179.16 [C:\Program Files\dotnet\sdk]

Private.InternalDiagnostics.System.Net.Http logs:

AuthenticationInfo : https://cloud.mongodb.com/api/atlas/v1.0/groups/***REDUCTED***/databaseUsers,Server authentication requested with WWW-Authenticate header value 'Digest realm="MMS Public API", domain="", nonce="gHS0Q1hxlp8+DhEGB28pfLDxC2rMRL7Z", algorithm=MD5, qop="auth", stale=false'
AuthenticationInfo : https://cloud.mongodb.com/api/atlas/v1.0/groups/***REDUCTED***/databaseUsers,Authentication scheme 'Digest' selected. Client username=***REDUCTED***
ErrorMessage : DigestResponse#3129430,GetDigestTokenForCredential,Nonce missing
AuthenticationError : https://cloud.mongodb.com/api/atlas/v1.0/groups/***REDUCTED***/databaseUsers,Unable to find 'Digest' authentication token when authenticating with server
AuthenticationError : https://cloud.mongodb.com/api/atlas/v1.0/groups/***REDUCTED***/databaseUsers,Server authentication failed.

Loaded asseblies:

[wfurt]

Looking at shared/Microsoft.NETCore.App/6.0.0-preview.4.21178.6/.version it seems like lates included change is 102d1e8
So the fix did not roll in yet. Unfortunately I don't know when exactly this will happen. It seems like the current build is ~ 2days behind runtime changes.

[gao-artur]

Verified with 6.0.100-preview.4.21181.20 and it works. Thanks!

[wfurt]

Thanks for confirmation @gao-artur. I'll open PR for 5.0 and check if servicing is willing take the fix.

[karelz]

@wfurt did we ever initiate the backport check? It seems like we didn't ... is it still interesting?

@gao-artur have you heard about more users of Atlas MongoDB hitting the issue?

[wfurt]

#50598 in 5.0.6.
Seems like It was referencing the PR, not this issue.