Traefik always uses hardcoded "traefik" realm for digest authentication.

[AndrewSav]

Do you want to request a feature or report a bug?

Bug

What did you do?

Ran

docker run --rm -it -p 8080:8080 traefik --api.entrypoint=api --entryPoints='Name:api Address::8080 Auth.Digest.Users:test:myrealm:a2688e031edb4be6a3797f3882655c05'

And the navigated to http://localhost:8080 in my browser, while watching http requests being passed between the browser and traefik.

What did you expect to see?

I expected to see realm equals "myrealm" in the Www-Authenticate header.

What did you see instead?

I saw realm equals "traefik" in the Www-Authenticate header. See here

Output of traefik version: (What version of Traefik are you using?)

Version:      v1.6.6
Codename:     tetedemoine
Go version:   go1.10.3
Built:        2018-08-20_01:10:06PM
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

No specific configuration.

NewDigestAuthenticator takes realm as the first parameter. Traefik always passes hardcoded "traefik" string

If applicable, please paste the log output in DEBUG level (--logLevel=DEBUG switch)

INFO[2018-08-29T21:22:29Z] Traefik version v1.6.6 built on 2018-08-20_01:10:06PM
INFO[2018-08-29T21:22:29Z]
Stats collection is disabled.
Help us improve Traefik by turning this feature on :)
More details on: https://docs.traefik.io/basics/#collected-data

DEBU[2018-08-29T21:22:29Z] Global configuration loaded {"LifeCycle":{"RequestAcceptGraceTimeout":0,"GraceTimeOut":10000000000},"GraceTimeOut":0,"Debug":false,"CheckNewVersion":true,"SendAnonymousUsage":false,"AccessLogsFile":"","AccessLog":null,"TraefikLogsFile":"","Trae
fikLog":null,"Tracing":null,"LogLevel":"DEBUG","EntryPoints":{"api":{"Address":":8080","TLS":null,"Redirect":null,"Auth":{"Basic":null,"Digest":{"Users":["test:myrealm:a2688e031edb4be6a3797f3882655c05"],"UsersFile":""},"Forward":null,"HeaderField":""},"WhitelistSourceRan
ge":null,"WhiteList":null,"Compress":false,"ProxyProtocol":null,"ForwardedHeaders":{"Insecure":true,"TrustedIPs":null}}},"Cluster":null,"Constraints":[],"ACME":null,"DefaultEntryPoints":["http"],"ProvidersThrottleDuration":2000000000,"MaxIdleConnsPerHost":200,"IdleTimeou
t":0,"InsecureSkipVerify":false,"RootCAs":null,"Retry":null,"HealthCheck":{"Interval":30000000000},"RespondingTimeouts":null,"ForwardingTimeouts":null,"AllowMinWeightZero":false,"Web":null,"Docker":null,"File":null,"Marathon":null,"Consul":null,"ConsulCatalog":null,"Etcd
":null,"Zookeeper":null,"Boltdb":null,"Kubernetes":null,"Mesos":null,"Eureka":null,"ECS":null,"Rancher":null,"DynamoDB":null,"ServiceFabric":null,"Rest":null,"API":{"EntryPoint":"api","Dashboard":true,"Debug":false,"CurrentConfigurations":null,"Statistics":null},"Metrics
":null,"Ping":null}
INFO[2018-08-29T21:22:29Z] Preparing server api &{Address::8080 TLS:<nil> Redirect:<nil> Auth:0xc42060a660 WhitelistSourceRange:[] WhiteList:<nil> Compress:false ProxyProtocol:<nil> ForwardedHeaders:0xc4204edec0} with readTimeout=0s writeTimeout=0s idleTimeout=3m0s
INFO[2018-08-29T21:22:29Z] Starting provider configuration.providerAggregator {}
INFO[2018-08-29T21:22:29Z] Starting server on :8080

[mathroc]

I'm not sure how traefik is supposed to handle the realm defined in the Auth.Digest.Users field. how does it work if multiple users have different realm ?

maybe a new label is needed ?

note: I was looking for this not for digest auth but for basic auth, if it's independant let me know and i'll open another issue

[tcoupin]

@mathroc you should look #3917

[geraldcroes]

I'll close this (fixed) issue.

[tcoupin]

@geraldcroes this issue is for digest, my PR is for basic only. Do you want a similar PR for digest ?

[geraldcroes]

Thanks for helping @tcoupin ! Actually we already have a PR in progress for Digest, so it's not necessary. I might leave the issue open since it's not per se fixed ... I'll give it additional thoughts.

[ilyaglow]

Hey, @geraldcroes any updates on the PR for this issue? Seems weird that this issue is closed, despite the fact that the basic auth realm was fixed in #3917 and not the digest one, which original author concerns about.

[geraldcroes]

Hi! it has been included for the next version

https://github.com/containous/traefik/blob/master/middlewares/auth/digest_auth_test.go#L81