Support digest auth #205
Comments
|
Do we have any way of doing this externally? Lets say we implement our own Digest authentication scheme. Does okhttp or HttpURLConnection support it? |
|
@etiennemartin yep. Just implement |
|
for anyone interested, I have made https://github.com/rburgst/okhttp-digest available. Turns out that "just" implementing Authenticator is not trivial for Digest authentication. |
|
As it happens, I have done an implementation of Digest (and Basic) auth including
It depends only on okhttp and doesn't import third-party code. Are you interested in taking this into okhttp (after further testing etc.)? |
|
@rfc2822 yeah! Are you the original author & willing to license as Apache 2? |
|
@swankjesse Yes. Some small changes would still have to be done, e.g. adapt logging and removing |
|
Excellent. And you know me, I'm a pretty thorough (read: pedantic) code reviewer. But your starting place looks healthy, especially with the wealth of tests. |
|
@rfc2822 I had something like your solution as well but unfortunately it doesn't support authenticated sessions. I.e. if you did multiple requests, then every request would cause a 401 cycle. I had to introduce an interceptor and extend the Authenticator API to support this (unless there is another solution that I am missing). |
|
@rburgst Do you mean I use this code above to talk to do actual Digest authentication, so it works, but I think the servers are talking Or do you mean preemptive authentication in a session (»The Authorization header may be included preemptively; doing so improves server efficiency and avoids extra round trips for authentication challenges.«)? |
|
No, I mean if you have an authenticated session where you perform multiple operations (say PROFIND, GET, PUT, ...) then usually this always incurs a 401 response from the server since every new request will be unauthenticated. Once you have the nonce from the server, you can already pre-authenticate the following requests to avoid those extra round trips. |
I guess you mean preemptive authentication (sending the But:
Is this what you mean? As far as I understand it, it's
One could argue that it's even more secure if the server provides a new nonce for every request (which I have seen), and in this case every request HAS to be sent twice, once without Authorization header and once with header. I agree that it would be faster and better to avoid those unnecessary requests, but I didn't do it because
|
|
In my use case (where I do multiple requests) it is essential. The additional roundtrips multiply the processing by a factor of 2. IMHO every mobile implementation should strive to minimise roundtrips. But in essence you are right, you wouldn't strictly need it. |
|
Has there been any more progress to get Digest Auth merged into OkHttp master? I'm in the process of refactoring Apache NiFi's InvokeHttp processor to use OkHttp and would like to allow digest auth. @rfc2822's implementation would work best for my use case (handshake instead of preemptive). |
|
For OkHttp 3.0 I'm quite tempted to drop the |
|
.. which is really to say, if you can do digest auth as an interceptor, that might be fantastic |
|
Having to deal with the AuthCache and Authenticators can be confusing to a new user. A simple template for a digest interceptor would be great. For basic auth though, I'm just adding an Authorization header since it doesn't rely on a handshake. |
|
Actually thinking about it some more, the only way for the digest handshake to work (at least on the first call) is synchronously since it needs the realm, qop, nonce and opaque values (assuming not preemptive). I'm not sure what the best practice is for interceptors but in order to handle that use-case I'd imagine you'd have to catch the response, compute the auths and resend the request within the intercepted response. |
|
@swankjesse you can check how Apache does it, they do have a concept of an overarching HTTP context where data can be shared between multiple requests. This is then used by the authenticators who need it. However, I agree this is not entirely trivial to get right with Apache HC. |
|
Because authentication is a core feature of HTTP, my humble suggestion is that okhttp should parse and understand the
|
|
@rfc28222 yep! And we could build all of that behavior into an interceptor. |
|
Any news about the digest authentication in okhttp ? |
|
@mopsop Our implementation in dav4android (+ tests) is still not caching, but it's usable (and used in real life). If you need another license, please let me know. Maybe you can contributing caching behavior … |
|
I tried to adapt the code to use it with a Proxy with digest authentication by changing the header names, but the authentication fails :( And I would like something for Android and Java |
|
Any update on whether one of these solutions will be merged into okhttp? |
|
Try this: |
|
I’m closing this. The interceptor above should be good enough for anyone who wants digest auth. |
|
For reference, currently okhttp-digest relies on the Android logger and causes errors for those who aren't running on an Android device. I raised an issue[1] and @rburgst is working to address it. |
|
okhttp-digest now uses slf4j |
Android issue 11140
The text was updated successfully, but these errors were encountered: