Issue 26134: HTTPPasswordMgrWithPriorAuth does not work with DigestAuthentication (original) (raw)

My first bug reported here, so might not be perfectly following the rules :)

Similar to issue 19494 ("Add urllib2.HTTPBasicPriorAuthHandler for use with APIs that don't return 401 errors") - but related to digest authentication.

The sending of the auth header at all times works when using basic authentication, but not with digest authentication (verified with wireshark).

IMHO it should be the same behaviour with digest authentication - I think the change needs to applied there as well.

example code to check: password_mgr = urllib.request.HTTPPasswordMgrWithPriorAuth() password_mgr.add_password(None , 'http://www.example.org", "supercow","blablabla",is_authenticated=True) auth_handler = urllib.request.HTTPDigestAuthHandler(password_mgr) opener = urllib.request.build_opener(auth_handler) urllib.request.install_opener(opener)

Despite the title of the other report, it looks like we ended up having a HTTPPasswordMgrWithPriorAuth class instead, and there is no longer a HTTPBasicPriorAuthHandler class. Also, if this proposal could work, it would have to go into a new version of Python; 3.5 has already been released.

With Basic authentication, the client can easily pre-empt an Authorization field, because it sends the username and password in the clear. I have less understanding of Digest authentication, but it is described in <https://tools.ietf.org/html/rfc7616>. I understand the client first needs a “nonce” value issued by the server before it can generate the Authorization field.

You gave some demonstration code. Can you explain what the code should be doing at the HTTP level? Do you have any example server, use case, or something that this would work with? What were you looking for with Wireshark? I suspect you would need to include the nonce or some previous session object with the password manager.

The code to generate the Authorization field with Basic authentication is in AbstractBasicAuthHandler.http_request(): <https://hg.python.org/cpython/annotate/v3.5.1/Lib/urllib/request.py#l925>. For comparison, the Digest data for the Authorization field is generated in AbstractDigestAuthHandler.get_authorization(). See how it requires the “chal” parameter, derived from an Authorization response field.