DigestAuthentication not working

[robin-blanchard]

Discussed in #2787

^{Originally posted by robin-blanchard July 25, 2023}
Hello,
It seems to be an issue with DigestAuthentication. Even with a basic HTTP server, I can't manage to correctly authenticate a client with httpx.

Here's the server implementation with Flask:

from flask import Flask
from flask_httpauth import HTTPDigestAuth

app = Flask(__name__)
app.config['SECRET_KEY'] = 'secret key here'
auth = HTTPDigestAuth()

users = {
    "john": "hello",
    "susan": "bye"
}


@auth.get_password
def get_pw(username):
    if username in users:
        return users.get(username)
    return None


@app.route('/', methods=['GET', 'POST'])
@auth.login_required
def index():
    return "Hello, {}!".format(auth.username())


if __name__ == '__main__':
    app.run(host="0.0.0.0", debug=True)

And here's the small client:

import httpx

auth = httpx.DigestAuth("susan", "bye")
print(httpx.get("http://192.168.2.140:5000/", auth=auth).status_code)

This code returns 401.

httpx version: 0.24.1

Does anyone has a solution ? I plan on using httpx to send asynchronous requests to a server with Digest Authentication. Only httpx seems to provide Digest Authentication with async support.

Many thanks

[robin-blanchard]

It seems that manually adding the cookie to the second request does the job. For example by adding:
Cookies(response.cookies).set_cookie_header(request) right before this line: https://github.com/encode/httpx/blob/master/httpx/_auth.py#L220

[robin-blanchard]

I think there are other things to change to make it work with qop=auth
https://github.com/encode/httpx/blob/master/httpx/_auth.py#L288 : We should also enter here if qop == "auth"
https://github.com/encode/httpx/blob/master/httpx/_auth.py#L288: Incase qop is indeed auth, the response should only be digest(key_digest). Line https://github.com/encode/httpx/blob/master/httpx/_auth.py#L280 should probably be changed also to make it cleaner

[karpetrosyan]

It seems that manually adding the cookie to the second request does the job. For example by adding: Cookies(response.cookies).set_cookie_header(request) right before this line: https://github.com/encode/httpx/blob/master/httpx/_auth.py#L220

Could you please explain what you mean here?

[karpetrosyan]

Can we simplify the issue by simply stating that the Authorization flows do not include cookies in their requests?

[robin-blanchard]

Actually, I think all the necessary changes are within the DigestAuth structure. Here is a list of issues:

• Cookies from the response not included in the retried request. The session is especially missing in the retried request
• Doesn't properly handle when received qop is auth. (This is regarding the if condition)
• Wrong calculation when qop is auth: response is digest(HA1:HA1:nonce:HA2) instead of digest(HA1:nonce:HA2)

[karpetrosyan]

• Doesn't properly handle when received qop is auth. (This is regarding the if condition)
• Wrong calculation when qop is auth: response is digest(HA1:HA1:nonce:HA2) instead of digest(HA1:nonce:HA2)

Could you please explain these two issues to me?

How httpbin works with the wrong digest calculation, are you sure about that?

[tomchristie]

Believe this to be closed via #2846.