New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Digest Auth in MD5-sess does not work #2941

Closed
kota65535 opened this Issue Apr 12, 2017 · 18 comments

Comments

@kota65535

kota65535 commented Apr 12, 2017

  1. Postman Version: v4.10.7
  2. App (Chrome app or Mac app): Linux app
  3. OS details: Cent OS 7
  4. Is the Interceptor on and enabled in the app: There is no interceptor but proxy setting icon...
  5. Did you encounter this recently, or has this bug always been there: always
  6. Expected behaviour:

I've tested using this page .
This address below can be accessed by user: aaa and password: bbb.
https://httpbin.org/digest-auth/auth/aaa/bbb/MD5-sess

Steps to Reproduce

  1. In Authorization tab, type blow:
    Type: Digest Auth
    Username: aaa
    Realm: {{echo_digest_realm}}
    Password: bbb
    Nonce: {{echo_digest_nonce}}
    Algorithm: MD5-sess
    qop: auth

  2. Hit the "Update Request" button.

  3. Send GET request to https://httpbin.org/digest-auth/auth/aaa/bbb/MD5-sess.

  4. 401 UNAUTHORIZED will be returned.

I also realized that nc and cnonce in generated Authorization header are always blank. As far as I know, MD5-sess uses this value to calculate hash. I think this is the cause of the problem.

I found this closed issue #932 , which seems to be related to this problem.

@medjai

This comment has been minimized.

medjai commented Jun 12, 2017

@czardoz Will this be fixed in the windows client too? I can also confirm that using {{echo_digest_realm}} and {{echo_digest_nonce}} does not work

@nushydude

This comment has been minimized.

nushydude commented Jun 21, 2017

I too can reproduce this issue on 5.0.1 Chrome app.

@medjai

This comment has been minimized.

medjai commented Jun 28, 2017

@numaanashraf When can we expect this to be fixed? This is a major roadblock for me. I am using Postman to work with our devices here at work and test API implementation but our devices ONLY support digest authentication. It has been months since this issue was reported

@madebysid madebysid assigned kunagpal and unassigned czardoz Jul 4, 2017

@medjai

This comment has been minimized.

medjai commented Aug 20, 2017

@kunagpal This has been assigned and re-assigned many times with no resolution for months. Can we expect this to be fixed soon?

MD5 and MD5-session both don't work!

@harryi3t harryi3t self-assigned this Sep 20, 2017

@harryi3t

This comment has been minimized.

harryi3t commented Sep 20, 2017

@medjai MD5 does work
image
Let me know if you have issues with MD5. (Also in next release we are supporting auto-detection of nonce and realm from the server response, so the user would have to fill the username and password only and it will just work)

@kota65535 About MD5-sess, from what I tested httpbin does not even support MD5-sess
This can be verified by looking at the response headers when you call this end-point
image

IMO they are doing the partial matching of the URL. So anything after (/MD5-xxxxx) work hit the /MD5 endpoint
image

I have checked the code and found that the logic is there to handle MD5-sess algorithm. So that should also work, but I don't have an endpoint to verify this.
image

The passport-http module also does not support MD5-sess :(
I would really appreciate if anyone can help me point to endpoint on which I can test MD5-sess

Update

passport-http does support MD5-sess
I will test using it, and if there is a bug it will be fixed soon.

@harryi3t

This comment has been minimized.

harryi3t commented Sep 22, 2017

Update:

I can confirm that MD5-sess does not work. Tested with passport-http
expected to be fixed in Postman 5.3

@harryi3t harryi3t added this to Doing in Authorization Sep 22, 2017

@kunagpal kunagpal removed their assignment Sep 22, 2017

@medjai

This comment has been minimized.

medjai commented Sep 22, 2017

@harryi3t

This comment has been minimized.

harryi3t commented Sep 25, 2017

@medjai
I see what's happening.
Right now Postman does not support any interactivity in the auths.
By interactivity I mean, from the response to the first request, making the second request and so on (like the browsers).
Right now Users have to fill the details manually.
For digest auth, it means you need to fill the realm and nonce manually.

But the good news is, we are shipping Postman 5.3 (around the 1st week, Oct) with this interactive mode.
That means from 5.3 onwards making one request will suffice.

@medjai

This comment has been minimized.

medjai commented Sep 25, 2017

@harryi3t harryi3t added this to the 5.3 milestone Sep 26, 2017

@harryi3t harryi3t moved this from Doing to Done in Authorization Oct 5, 2017

@medjai

This comment has been minimized.

medjai commented Oct 5, 2017

@harryi3t

This comment has been minimized.

harryi3t commented Oct 6, 2017

@kota65535 @medjai
Postman 5.3 is released 🎉 I need at-least one confirmation that this has fixed the issue.
Can you guys please check it

@medjai

This comment has been minimized.

medjai commented Oct 6, 2017

@harryi3t

This comment has been minimized.

harryi3t commented Oct 7, 2017

@medjai I will be more than happy to assist you in resolving the issue.
Could you provide me with some more details around when it fails?

  1. Please open the postman console (view -> Show postman console) and clear any logs, if present.
  2. Send the request (having digest auth)
  3. take a screenshot of postman console
  4. expand all the logs and each section and copy the content
  5. Send this info either here in the comment or if you prefer you can send an email to me harendra[at]getpostman[dot]com
    we also have a slack community channel https://www.getpostman.com/slack-invite

Note: You can obfuscate the confidential information.

Sample Data (with incorrect credentials):

image

Request 1

Request Headers:
cache-control:"no-cache"
postman-token:"7aeca5bf-d427-441e-8a25-741be0dcb35d"
user-agent:"PostmanRuntime/6.4.0"
accept:"*/*"
host:"postman-echo.com"
cookie:"sails.sid=s%3A7gzzlN1D6N3wgANJsxW9CPPscNLyb6a3.GPJ2LhdTqUXbizLmVVXFV0tmIkk4nASabXL1aeJjsyc"
accept-encoding:"gzip, deflate"
Response Headers:
server:"nginx/1.10.2"
date:"Sat, 07 Oct 2017 07:30:14 GMT"
transfer-encoding:"chunked"
connection:"keep-alive"
access-control-allow-origin:""
access-control-allow-credentials:""
access-control-allow-methods:""
access-control-allow-headers:""
access-control-expose-headers:""
www-authenticate:"Digest realm="Users", nonce="46W85Y6C4Tqg60AHzk9reefedCBOTPtO", qop="auth""
set-cookie:"sails.sid=s%3Advm-wlwPxQpgcCCHWdD_MgZPSXdiKyN0.DQi%2BRTIopYZS3EctlUDqVAWkKCzS6L7HV53DEnhvmHw; Path=/; HttpOnly"
Response Body:
Unauthorized

Request 2

Request Headers:
cache-control:"no-cache"
postman-token:"7aeca5bf-d427-441e-8a25-741be0dcb35d"
user-agent:"PostmanRuntime/6.4.0"
accept:"*/*"
host:"postman-echo.com"
cookie:"sails.sid=s%3A7gzzlN1D6N3wgANJsxW9CPPscNLyb6a3.GPJ2LhdTqUXbizLmVVXFV0tmIkk4nASabXL1aeJjsyc; sails.sid=s%3Advm-wlwPxQpgcCCHWdD_MgZPSXdiKyN0.DQi%2BRTIopYZS3EctlUDqVAWkKCzS6L7HV53DEnhvmHw"
accept-encoding:"gzip, deflate"
authorization:"Digest username="postma", realm="Users", nonce="46W85Y6C4Tqg60AHzk9reefedCBOTPtO", uri="/digest-auth", algorithm="MD5", qop=auth, nc=00000001, cnonce="LJFQgdmI", response="1ec44e3e24689df0cfb1c791504582ee""
Response Headers:
server:"nginx/1.10.2"
date:"Sat, 07 Oct 2017 07:30:15 GMT"
transfer-encoding:"chunked"
connection:"keep-alive"
access-control-allow-origin:""
access-control-allow-credentials:""
access-control-allow-methods:""
access-control-allow-headers:""
access-control-expose-headers:""
www-authenticate:"Digest realm="Users", nonce="hgZwfOlRjnhNw4YdARByCwQURey6Ol0o", qop="auth""
set-cookie:"sails.sid=s%3AMSTj8SedIxdEJmLFl14qbyKTAnFjy_8h.hfsh0dzrcCIKM7YiQAPOUY9tfEtttUdelQbfMgxxFqU; Path=/; HttpOnly"
Response Body:
Unauthorized

And so on for Request 3 and 4

@medjai

This comment has been minimized.

medjai commented Oct 9, 2017

@harryi3t I wanted to break this up into two issues but I am using a product that utilizes Digest Auth and ServerPush to reply back to the API call (continually pushes live information about the product).

When utilizing Digest Auth MD5 with local variables it seems to fail the first time even though "Yes, disable retrying the request" is turned off.

Second issue is that Postman doesn't seem to support server push. (These are unrelated so I'll open up a different issue for this)

Video: https://kmossad.com/owncloud/index.php/s/r4ZmSYUW73RVOGG

@medjai

This comment has been minimized.

medjai commented Oct 9, 2017

I forgot to attach the console log. Please see

image

@harryi3t

This comment has been minimized.

harryi3t commented Oct 9, 2017

@medjai Thanks for the video and the screenshot. But unfortunately, they don't show what's happening behind the scenes. I need the logs for all the requests that are being sent.

To avoid too many back and forth comments here, would you mind joining our slack community channel where I can directly help you out?
Here's the link to join - https://www.getpostman.com/slack-invite

@medjai

This comment has been minimized.

medjai commented Oct 11, 2017

works as expected had to remove the echo variables.

@medjai

This comment has been minimized.

medjai commented Oct 11, 2017

@harryi3t @shamasis can you please close this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment