New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPPasswordMgrWithPriorAuth does not work with DigestAuthentication #70322
Comments
My first bug reported here, so might not be perfectly following the rules :) Similar to bpo-19494 ("Add urllib2.HTTPBasicPriorAuthHandler for use with APIs that don't return 401 errors") - but related to digest authentication. The sending of the auth header at all times works when using basic authentication, but not with digest authentication (verified with wireshark). IMHO it should be the same behaviour with digest authentication - I think the change needs to applied there as well. example code to check: |
Despite the title of the other report, it looks like we ended up having a HTTPPasswordMgrWithPriorAuth class instead, and there is no longer a HTTPBasicPriorAuthHandler class. Also, if this proposal could work, it would have to go into a new version of Python; 3.5 has already been released. With Basic authentication, the client can easily pre-empt an Authorization field, because it sends the username and password in the clear. I have less understanding of Digest authentication, but it is described in <https://tools.ietf.org/html/rfc7616\>. I understand the client first needs a “nonce” value issued by the server before it can generate the Authorization field. You gave some demonstration code. Can you explain what the code should be doing at the HTTP level? Do you have any example server, use case, or something that this would work with? What were you looking for with Wireshark? I suspect you would need to include the nonce or some previous session object with the password manager. The code to generate the Authorization field with Basic authentication is in AbstractBasicAuthHandler.http_request(): <https://hg.python.org/cpython/annotate/v3.5.1/Lib/urllib/request.py#l925\>. For comparison, the Digest data for the Authorization field is generated in AbstractDigestAuthHandler.get_authorization(). See how it requires the “chal” parameter, derived from an Authorization response field. |
Perhaps this is similar to bpo-7752, about reusing the nonce. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: