[Bug]: "Add camera" wizard ignores ONVIF auth type (digest auth always assumed)

[PeterBeklemishev]

Checklist

• I have updated to the latest available Frigate version.
• I have cleared the cache of my browser.
• I have tried a different browser to see if it is related to my browser.
• I have tried reproducing the issue in incognito mode to rule out problems with any third party extensions or plugins I have installed.
• I have asked the AI at https://docs.frigate.video about my issue.

Describe the problem you are having

It is currently not possible to add camera with OpenIPC firmware using "Add camera" wisard (and possibly any other camera that does not supports passwordDigest and expects passwordText onvif auth) as toggle "Use digest authentication" value in this wizard is partially ignored.

When adding camera using Add camera wisard user is able to toggle "Use digest authentication" ("Use HTTP digest authentication for ONVIF. Some cameras may require a dedicated ONVIF username/password instead of the standard admin user."), which results in sending request to /onvif/probe endpoint. Digest toggle value is passed to API as auth_type query parameter (toggled = digest, not toggled = basic).

This endpoint uses ONVIFCamera class from onvif-zeep-async library for interfacing with camera.

Relevant piece of code is:

        ....
        onvif_camera = ONVIFCamera(
            host, port, username or "", password or "", wsdl_dir=wsdl_base
        )
        ....
         if auth_type == "digest" and username and password:
            # Create httpx client with digest auth, configure internal transports, ...
        ....

ONVIFCamera has parameter encrypt, that has default value True. In another place where ONVIFCamera is used this parameter set to tls_insecure flag value from config.
ONVIFCamera under the hood uses ONVIFService and passes encrypt parameter to it as-is. In ONVIFService this parameter is documented as "Indicate wether password digest is needed" and indeed it is later passed to UsernameDigestTokenDtDiff (wrapper that implements timestamps work-around and is based on zeep.wsse.username.UsernameToken):

        wsse = UsernameDigestTokenDtDiff(
            self.user, self.passwd, dt_diff=self.dt_diff, use_digest=self.encrypt
        )

so our "encrypt" becames explicitly named use_digest parameter, and (currently) it is always True for /api/onvif/probe endpoint which results in passwordDigest being always used.

Fix: Add , encrypt=auth_type != 'basic' or simular to ONVIFCamera constructor call in /api/onvif/probe endpoint.

Steps to reproduce

1. Start capturing traffic or set log level to debug for loggers onvif, frigate.api.camera
2. Use Add camera wizard to probe camera with and without use digest toggle
3. Observe passwordDigest usage in both cases

Version

0.17.1-416a9b7

In which browser(s) are you experiencing the issue with?

No response

Frigate config file

mqtt:
  enabled: False

cameras:
  Gate:
    onvif:
      host: gate-cam.local.lan
      port: 80
      user: viewer
      password: '123456'
      tls_insecure: True
    ffmpeg:
      inputs:
        - path: 'rtsp://viewer:123456@gate-cam.local.lan/stream=0'
          roles:
           - detect
           - record

docker-compose file or Docker CLI command

services:
  frigate:
    container_name: frigate
    # privileged: true # this may not be necessary for all setups
    restart: unless-stopped
    stop_grace_period: 30s # allow enough time to shut down the various services
    image: ghcr.io/blakeblackshear/frigate:0.17.1
    shm_size: "512mb" # update for your cameras based on calculation above
    devices:
      #- /dev/bus/usb:/dev/bus/usb # Passes the USB Coral, needs to be modified for other versions
      #- /dev/apex_0:/dev/apex_0 # Passes a PCIe Coral, follow driver instructions here https://github.com/jnicolson/gasket-builder
      #- /dev/video11:/dev/video11 # For Raspberry Pi 4B
      - /dev/dri/renderD128:/dev/dri/renderD128 # AMD / Intel GPU, needs to be updated for your hardware
      #- /dev/accel:/dev/accel # Intel NPU
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/frigate/config:/config
      - /opt/storage:/media/frigate
      - type: tmpfs # 1GB In-memory filesystem for recording segment storage
        target: /tmp/cache
        tmpfs:
          size: 1000000000
    ports:
      - "8971:8971"
      # - "5000:5000" # Internal unauthenticated access. Expose carefully.
      - "8554:8554" # RTSP feeds
      - "8555:8555/tcp" # WebRTC over tcp
      - "8555:8555/udp" # WebRTC over udp
    environment:
      FRIGATE_RTSP_PASSWORD: "password"
      LIBVA_DRIVER_NAME: "radeonsi"

Relevant Frigate log output

frigate  | 2026-05-31 11:09:14.941677098  [2026-05-31 11:09:14] frigate.api.camera             DEBUG   : Probing ONVIF device at gate-cam.local.lan:80 with basic auth
frigate  | 2026-05-31 11:09:14.942288330  [2026-05-31 11:09:14] onvif                          DEBUG   : Creating service ('devicemgmt', None) with http://gate-cam.local.lan:80/onvif/device_service
frigate  | 2026-05-31 11:09:14.960471779  [2026-05-31 11:09:14] onvif                          DEBUG   : Overriding default datetime type to use FastDateTime
frigate  | 2026-05-31 11:09:14.960877981  [2026-05-31 11:09:14] onvif                          DEBUG   : Overriding default time type to use ForgivingTime
frigate  | 2026-05-31 11:09:15.056492888  [2026-05-31 11:09:15] onvif.zeep_aiohttp             DEBUG   : HTTP Post to http://gate-cam.local.lan:80/onvif/device_service:
frigate  | 2026-05-31 11:09:15.056507265  b'<?xml version=\'1.0\' encoding=\'utf-8\'?>\n<soap-env:Envelope xmlns:soap-env="http://www.w3.org/2003/05/soap-envelope" xmlns:wsnt="http://docs.oasis-open.org/wsn/b-2" xmlns:wsa="http://www.w3.org/2005/08/addressing"><soap-env:Header><wsa:Action>http://www.onvif.org/ver10/device/wsdl/GetCapabilities</wsa:Action><wsa:MessageID>urn:uuid:7edb0476-c1c1-42dd-98e0-101ff0c81e2a</wsa:MessageID><wsa:To>http://gate-cam.local.lan:80/onvif/device_service</wsa:To><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken><wsse:Username>viewer</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">Z3JcpFwiTg+kGUFOEgRxi4djP1Q=</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">Jxgh2v44Ypt9KWaolH8bvw==</wsse:Nonce><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2026-05-31T11:09:15+00:00</wsu:Created></wsse:UsernameToken></wsse:Security></soap-env:Header><soap-env:Body><ns0:GetCapabilities xmlns:ns0="http://www.onvif.org/ver10/device/wsdl"><ns0:Category>All</ns0:Category></ns0:GetCapabilities></soap-env:Body></soap-env:Envelope>'
frigate  | 2026-05-31 11:09:15.128291130  [2026-05-31 11:09:15] onvif.zeep_aiohttp             DEBUG   : HTTP Response from http://gate-cam.local.lan:80/onvif/device_service (status: 400):
frigate  | 2026-05-31 11:09:15.128299326  b'<?xml version="1.0" encoding="utf-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><SOAP-ENV:Body><SOAP-ENV:Fault><SOAP-ENV:Code><SOAP-ENV:Value>SOAP-ENV:Sender</SOAP-ENV:Value><SOAP-ENV:Subcode><SOAP-ENV:Value>wsse:FailedAuthentication</SOAP-ENV:Value></SOAP-ENV:Subcode></SOAP-ENV:Code><SOAP-ENV:Reason><SOAP-ENV:Text xml:lang="en">The security token could not be authenticated.</SOAP-ENV:Text></SOAP-ENV:Reason></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>'
frigate  | 2026-05-31 11:09:15.130863263  192.168.0.219 - - [31/May/2026:11:09:15 +0000] "GET /api/onvif/probe?host=gate-cam.local.lan&port=80&username=viewer&password=123456&test=false&auth_type=basic HTTP/1.1" 503 46 "https://giga.local.lan:8971/settings" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36" "-" request_time="0.195" upstream_response_time="0.192"
frigate  | 2026-05-31 11:09:15.131633798  [2026-05-31 11:09:15] frigate.api.camera             WARNING : Connection error probing gate-cam.local.lan:80: The security token could not be authenticated.

Relevant go2rtc log output

not relevant

Operating system

Other Linux

Install method

Docker Compose

Network connection

Wired

Camera make and model

unnamed ipc board with OpenIPC (Version 2.6.05.31-ultimate Build master+9d8d5a3, 2026-05-31 Majestic master+b1d336d, 2026-05-30 19:36)

Screenshots of the Frigate UI's System metrics pages

not relevant

Any other information that may be helpful

Maybe camera onvif.tls_insecure flag should be better documented.

[inkeep-ai-assistant[bot]]

This appears to be a valid bug report. You've correctly identified that the /api/onvif/probe endpoint doesn't pass the encrypt parameter to the ONVIFCamera constructor based on the auth_type value, causing it to always default to password digest authentication even when "basic" auth is selected in the wizard.

The ONVIF configuration in Frigate supports a tls_insecure option which affects this behavior when configured through the config file:(1)

onvif:
  host: 0.0.0.0
  port: 8000
  user: admin
  password: admin
  tls_insecure: False

(1)

However, as you've noted, this parameter isn't being applied in the camera wizard's probe endpoint, which is why your OpenIPC camera fails authentication when using the wizard but would work when configured directly in the config file with tls_insecure: True.

Your analysis is thorough and the proposed fix (adding encrypt=auth_type != 'basic' to the ONVIFCamera constructor call) appears correct based on your code review. This is a code-level bug that would need to be addressed by the Frigate developers.

For now, you can work around this by:

1. Skipping the ONVIF probe in the wizard
2. Adding your camera's ONVIF settings directly in the config file with tls_insecure: True as you've already done

Note that ONVIF configuration through the wizard is not currently supported for auto-detection due to the variability in ONVIF implementations across camera vendors.(2) Full UI-based configuration is planned for a future version.(2)

📚 Sources:

1. Full Reference Config
2. ONVIF setup in the new 0.17 camera wizard

---

Have another question? Just tag @inkeep.

[PeterBeklemishev]

so i have to create issue to get this problem fixed or pull request?

[PeterBeklemishev]

@inkeep

[inkeep-ai-assistant[bot]]

Since you've already filed this as a bug report on GitHub, you're on the right track. You have two options:

1. Wait for the maintainers to review and address your bug report
2. Submit a pull request with your proposed fix (encrypt=auth_type != 'basic')

If you're comfortable implementing the fix yourself, a pull request would likely get this resolved faster. Your analysis is detailed and the fix appears straightforward, which makes it a good candidate for a community contribution.

You can submit PRs to the Frigate repository at GitHub.

---

Have another question? Just tag @inkeep.

[hawkeye217]

Thanks for the detailed write-up, your analysis is correct. The probe in the add camera wizard always sends a WS-Security PasswordDigest token regardless of the auth selection, so cameras that expect PasswordText (like your OpenIPC board) can't authenticate through the wizard.

It's worth clarifying though that the "Use digest authentication" toggle controls HTTP-level digest auth, which is a separate thing from the WS-Security password encoding that's actually tripping you up here, so it's not that the toggle is being ignored, it's that the password encoding isn't exposed at all in the wizard. As you noted, the config-based path already handles this via tls_insecure, but the probe doesn't account for it.

On your proposed fix (encrypt=auth_type != 'basic'): that would tie the WS-Security password encoding to the HTTP auth toggle, but those are two independent ONVIF concepts. With that change, the single toggle would control both layers at once, so you could no longer represent valid combinations like HTTP digest + PasswordText, or HTTP basic + PasswordDigest. It happens to line up for your camera, but it would break others, so we'll want to handle the encoding separately rather than overload that toggle.

I'll push a fix for the next version of Frigate that will try both password encodings. In the meantime, manually adding the camera rather than relying on an ONVIF probe is the suggested workaround.

[hawkeye217]

This is improved in #23365