Skip to content

Per RFC 7616, use the provided Response algorithm in the Request#467

Merged
ok2c merged 2 commits into
apache:masterfrom
jvasileff:fix-digest-header-algorithm
Jul 20, 2023
Merged

Per RFC 7616, use the provided Response algorithm in the Request#467
ok2c merged 2 commits into
apache:masterfrom
jvasileff:fix-digest-header-algorithm

Conversation

@jvasileff
Copy link
Copy Markdown
Contributor

@jvasileff jvasileff commented Jul 19, 2023
edited
Loading

For digest authentication, in RFC 7616 section "3.4 The Authorization
Header Field":

The values of the opaque and algorithm fields must be those supplied
in the WWW-Authenticate response header field for the entity being
requested.

This commit honors that rule, and removes the previous behavior that
augmented the request header with "algorithm=MD5" when none was provided
in the server's response.

Aside from the specification, it also stands to reason that if the
server failed to provide "algorithm=..." in its "WWW-Authenticate"
header, the server should be fine with the client failing to provide
"algorithm=..." in the "Authorization" header.

The motivation for this change is that including "algorithm=MD5" in the
"Authorization" header causes http requests to fail when made to an
embedded system, which I suspect to be a an Espressif ESP32 web server.

@arturobernalg
Copy link
Copy Markdown
Member

arturobernalg commented Jul 19, 2023

Didn't RFC 2617 get deprecated and subsequently replaced by RFC 7616? this change looks like fallow the RFC 7616.

@jvasileff
Copy link
Copy Markdown
Contributor Author

jvasileff commented Jul 19, 2023

Ah, yes, thanks. It looks like RFC 7616 obsoletes 2617.

In RFC 7616, relevant quotes from 3.4 The Authorization Header Field supporting this change are:

The values of the opaque and algorithm fields must be those supplied in the WWW-Authenticate response header field for the entity being requested.

and

For historical reasons, a sender MUST NOT generate the quoted string syntax for the following parameters: algorithm, qop, and nc.

The second note about quoting is only relevant in that it rules out other potential changes - this PR makes no changes to quoting; the algorithm value is still produced without " tokens.

@ok2c
Copy link
Copy Markdown
Member

ok2c commented Jul 20, 2023

@jvasileff Could you please do the following?

  • update references to the RFC used in the PR title and the commit message
  • add a test case to TestDigestScheme asserting the new behavior

jvasileff added 2 commits July 20, 2023 07:52
@jvasileff
Per RFC 7616, use the provided Response algorithm in the Request
26eea08 
For digest authentication, in RFC 7616 section "3.4 The Authorization
Header Field":

    The values of the opaque and algorithm fields must be those supplied
    in the WWW-Authenticate response header field for the entity being
    requested.

This commit honors that rule, and removes the previous behavior that
augmented the request header with "algorithm=MD5" when none was provided
in the server's response.

Aside from the specification, it also stands to reason that if the
server failed to provide "algorithm=..." in its "WWW-Authenticate"
header, the server should be fine with the client failing to provide
"algorithm=..." in the "Authorization" header.

The motivation for this change is that including "algorithm=MD5" in the
"Authorization" header causes http requests to fail when made to an
embedded system, which I suspect to be a an Espressif ESP32 web server.
@jvasileff
Test for presence of "algorithm" in digest authentication
8187208 
algorithm should be present in the Authentication header if and only if
it is present in the challenge
@jvasileff jvasileff changed the title Per rfc2617, use the provided Response algorithm in the Request Per RFC 7616, use the provided Response algorithm in the Request Jul 20, 2023
@jvasileff
Copy link
Copy Markdown
Contributor Author

jvasileff commented Jul 20, 2023

@ok2c Done!

@ok2c ok2c merged commit c63b45a into apache:master Jul 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jvasileff @arturobernalg @ok2c