HTTPPasswordMgrWithPriorAuth does not work with DigestAuthentication

[guesommer]

BPO	26134
Nosy	@orsenthil, @vadmium

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2016-01-16.23:39:30.564>
labels = ['type-feature', 'library']
title = 'HTTPPasswordMgrWithPriorAuth does not work with DigestAuthentication'
updated_at = <Date 2016-01-18.03:09:09.855>
user = 'https://bugs.python.org/guesommer'

bugs.python.org fields:

activity = <Date 2016-01-18.03:09:09.855>
actor = 'orsenthil'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2016-01-16.23:39:30.564>
creator = 'guesommer'
dependencies = []
files = []
hgrepos = []
issue_num = 26134
keywords = []
message_count = 3.0
messages = ['258435', '258442', '258453']
nosy_count = 3.0
nosy_names = ['orsenthil', 'martin.panter', 'guesommer']
pr_nums = []
priority = 'normal'
resolution = None
stage = 'test needed'
status = 'open'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue26134'
versions = ['Python 3.6']

[guesommer]

My first bug reported here, so might not be perfectly following the rules :)

Similar to bpo-19494 ("Add urllib2.HTTPBasicPriorAuthHandler for use with APIs that don't return 401 errors") - but related to digest authentication.

The sending of the auth header at all times works when using basic authentication, but not with digest authentication (verified with wireshark).

IMHO it should be the same behaviour with digest authentication - I think the change needs to applied there as well.

example code to check:
password_mgr = urllib.request.HTTPPasswordMgrWithPriorAuth()
password_mgr.add_password(None , 'http://www.example.org", "supercow","blablabla",is_authenticated=True)
auth_handler = urllib.request.HTTPDigestAuthHandler(password_mgr)
opener = urllib.request.build_opener(auth_handler)
urllib.request.install_opener(opener)

[vadmium]

Despite the title of the other report, it looks like we ended up having a HTTPPasswordMgrWithPriorAuth class instead, and there is no longer a HTTPBasicPriorAuthHandler class. Also, if this proposal could work, it would have to go into a new version of Python; 3.5 has already been released.

With Basic authentication, the client can easily pre-empt an Authorization field, because it sends the username and password in the clear. I have less understanding of Digest authentication, but it is described in <https://tools.ietf.org/html/rfc7616\>. I understand the client first needs a “nonce” value issued by the server before it can generate the Authorization field.

You gave some demonstration code. Can you explain what the code should be doing at the HTTP level? Do you have any example server, use case, or something that this would work with? What were you looking for with Wireshark? I suspect you would need to include the nonce or some previous session object with the password manager.

The code to generate the Authorization field with Basic authentication is in AbstractBasicAuthHandler.http_request(): <https://hg.python.org/cpython/annotate/v3.5.1/Lib/urllib/request.py#l925\>. For comparison, the Digest data for the Authorization field is generated in AbstractDigestAuthHandler.get_authorization(). See how it requires the “chal” parameter, derived from an Authorization response field.

[vadmium]

Perhaps this is similar to bpo-7752, about reusing the nonce.