Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for digest authentication with an HTTP proxy #2526

Closed
spectrumjade opened this issue Apr 4, 2015 · 3 comments
Closed

Add support for digest authentication with an HTTP proxy #2526

spectrumjade opened this issue Apr 4, 2015 · 3 comments

Comments

@spectrumjade
Copy link

Currently, requests only supports HTTP basic authentication to a proxy. It would be very useful to support digest authentication with a proxy as well.

Additionally, there should be some way to signal that requests should not attempt to pass proxy credentials in plaintext before receiving the digest nonce from the proxy.
@Lukasa
Copy link
Member

Lukasa commented Apr 4, 2015

@justintime32 Thanks for the feature request!

It should be entirely possible to write a short authentication handler that does exactly what you need: a quick Google showed this as the top result. Because of the ease of adding such a thing yourself, and because it's relatively infrequently used, we don't believe there's much advantage in bringing Proxy Digest Auth into the core library.

@Lukasa Lukasa closed this as completed Apr 4, 2015
@spectrumjade
Copy link
Author

Hi @Lukasa, I actually started by writing an auth handler. The main issue I ran into was that it only works for non-SSL requests. SSL requests through a proxy are made through a CONNECT tunnel, and the CONNECT request must be authenticated. The auth handler appears to be unable to hook into the proxy tunnel creation step, and therefore SSL requests will always fail.

Are there other ways to add this authentication without modifying the core? Maybe some more hooks around the proxy tunnel creation?

@Lukasa
Copy link
Member

Lukasa commented Apr 4, 2015

Unfortunately, what you need is not possible with httplib. To do the CONNECT tunnel in httplib, you end up in the _tunnel method, which has the following code:

    def _tunnel(self):
        connect_str = "CONNECT %s:%d HTTP/1.0\r\n" % (self._tunnel_host,
            self._tunnel_port)
        connect_bytes = connect_str.encode("ascii")
        self.send(connect_bytes)
        for header, value in self._tunnel_headers.items():
            header_str = "%s: %s\r\n" % (header, value)
            header_bytes = header_str.encode("latin-1")
            self.send(header_bytes)
        self.send(b'\r\n')

        response = self.response_class(self.sock, method=self._method)
        (version, code, message) = response._read_status()

        if code != 200:
            self.close()
            raise OSError("Tunnel connection failed: %d %s" % (code,
                                                               message.strip()))

As you can see, there is no way to hook into a 407 response here. We can only do this by overriding the way the HTTP connection functions, which is something we do in urllib3: I recommend opening a feature request there.

@nametkin nametkin mentioned this issue May 15, 2021
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 8, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spectrumjade @Lukasa