HTTP Digest Authentication

Manfred Stienstra

For traditional sites cookie based authentication was often the best choice, especially because the application has complete control of the session which allows for automated logouts and other freaky stuff. Over the last year I’ve implemented quite a few authenticated applications and a large number of them has feeds or a webservice interface of some sort. But feedreaders and REST clients don’t really like cookie based authentication. HTTP Authentication is an obvious alternative, so we started using it.

In a lot of todo lists under the header ‘in the distant future’ there was an item: implement digest authentication. So I decided to bite the bullet and read RFC 2617.

I implemented the protocol for both sides, client and server. I sincerely believe that’s the best way to implement a protocol. That way you can always test the partially implemented client on the partially implemented server and bootstrap until everything is done. The best thing is that client and server implementations share a lot of algorithms, working on both makes your implementation orthogonal by default.

Implementing the specs went well, until I tried to talk to other implementations. Already in the first week I discovered four problems:

  1. Apache doesn’t send the required ‘nextnonce’ directive in it’s Authentication-Info header.
  2. Safari quotes algorithm and qop directives in the Authorization header. These directives shouldn’t be quoted.
  3. IE quotes algorithm and qop directives just like Safari does.
  4. IE computes the digest only over the path part of the URI instead of over the path and query part. (From the apache documentation of mod_auth_digest)

This brings up quite a few questions. Did Safari copy the quoting behaviour from IE instead of reading the RFC themselves? Is implementing standards too hard? Should standards be replaced by reference implementations?

I willing to tackle the last question because it’s so easy to answer. RFC 2617 happens to provide a reference implementation for computing Authorize headers, so that can’t be the problem. So are standards just too hard? RFC 2617 is a pretty complicated pieces of header prose, but it’s not as long and threaded as the HTTP specs. And way way easier than SOAP specs. So there must be something else.

Let’s assume for a moment that standards are completely unambiguous and well written. Given that premise, I believe that the quality of the implementation is a direct result of the determination and vigilance of the programmer. Or better yet, group of programmers. Two pairs of eyes see more that one, and a whole open source community sees more that just one annoyed corporate programmer.

I think digest authentication implementations haven’t received the level of scrutiny that other protocols have and that this resulted in a number of bugs in the various implementations. On that note I would like you to check out my own implementation: HTTP Authentication for Ruby. You can find the API documentation on Rubyforge. There is also a gem, which you can install the usual way:

gem install httpauth

This is still early beta and there are bugs and limitations.

At Fingertips we design and develop Web, iPhone, iPad and Mac OS X apps.
Find out how to hire us…

Crop and Straighten: Awesome multitouch photo editing for iPhone, iPod Touch and iPad.
Persistent Color Picker: Keep the Mac OS X color panel on your screen when you switch between apps.
Passenger Pane: Drag and drop configuration for Rails and Rack app developers.
Coming soon
Progress: Snapshot your creative process every time you save your work.