Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Digest access authentication format

2 views
Skip to first unread message

yawnmoth

unread,
Dec 19, 2009, 12:32:28 AM12/19/09
to
From <http://tools.ietf.org/html/rfc2617#section-3.2.2>:

username = "username" "=" username-value
username-value = quoted-string
digest-uri = "uri" "=" digest-uri-value
digest-uri-value = request-uri ; As specified by HTTP/1.1

From a Wireshark capture of Digest access authentication:

Authorization: Digest username="test", realm="...",
nonce="AAR638Epy8c=89095bd24b74677157136987475f5b678ca33945", uri="/
path/to/test.php", algorithm=MD5,
response="44ace83593f6562119a38aef0c34b76a", qop=auth, nc=00000007,
cnonce="c4859daa492b97e6"

My question is... why does uri, in the Wireshark capture, have double
quotes? username has them because quoted-string (which is what
username-value is defined as) has them but request-uri (which is what
digest-uri-value is defined as), as defined in <http://tools.ietf.org/
html/rfc2616#section-5.1.2> does not appear to. So why are they there?

yawnmoth

unread,
Dec 19, 2009, 4:40:26 PM12/19/09
to

Related to this, <http://tools.ietf.org/html/rfc2069#section-2.1.2>'s
Authorization header has an optional parameter - digest. <http://
tools.ietf.org/html/rfc2617#section-3.2.2>, however, makes no mention
of a digest header. Why was the 'digest' header dropped? (note that I
haven't read all of RFC2617 yet so if it's explained further within
that I probably just haven't gotten to that part of it).

Also, what's the point of including an algorithm parameter in the
Authorization header? The domains parameter, as defined in the WWW-
Authorize header, isn't returned in the Authorization header because
presumably it'd serve no point. It seems to me that the algorithm
parameter is similarly pointless? And if the client can pick and
choose what algorithms it wants to use then why does the server send
the algorithm parameter in the WWW-Authorize header? It doesn't seem
to me that RFC2617 has any provisions for algorithm negotiation so
it's not as if the server can say "here's a list of algorithms I
support" and the client can pick among them.

Ilmari Karonen

unread,
Dec 19, 2009, 5:22:41 PM12/19/09
to
On 2009-12-19, yawnmoth <terr...@yahoo.com> wrote:
>
> Also, what's the point of including an algorithm parameter in the
> Authorization header? The domains parameter, as defined in the WWW-
> Authorize header, isn't returned in the Authorization header because
> presumably it'd serve no point. It seems to me that the algorithm
> parameter is similarly pointless? And if the client can pick and
> choose what algorithms it wants to use then why does the server send
> the algorithm parameter in the WWW-Authorize header? It doesn't seem
> to me that RFC2617 has any provisions for algorithm negotiation so
> it's not as if the server can say "here's a list of algorithms I
> support" and the client can pick among them.

I know nothing about RFC 2917, but in general I'd assume that, even in
the absence of an explicit negotiation mechanism, the server might
still (in principle, at least) choose to use different algorithms with
different clients (if, say, it knew that some clients only support
certain algorithms). Including the algorithm identifier in the client
header means the server won't have to remember (or guess) which
algorithm it asked this particular client to use.

Also, specifying the algorithm in the header may allow for more
informative server error messages ("wrong hash algorithm used" instead
of just an opaque "authentication failed"). It could also be useful
for miscellaneous debugging purposes. And it's not like including it
carries any significant cost.

--
Ilmari Karonen
To reply by e-mail, please replace ".invalid" with ".net" in address.

0 new messages