Support for HTTP Digest Authentication about web2py HOT 13 CLOSED

From [email protected] on July 06, 2012 06:51:29

Looking into this... http://en.wikipedia.org/wiki/Digest_access_authentication Not sure what "entityBody" is.

from web2py.

From [email protected] on July 06, 2012 07:20:14

I'm trying to implement this on my client also.
Here are some resources that might help:

• Chromium tests for auth.
• A sample c++ code https://code.google.com/p/chromium/source/search?q=username+nonce&origq=username+nonce&btnG=Search+Trunk https://code.google.com/searchframe#L7BRNLZzKBo/trunk/live555/live/liveMedia/RTSPServer.cpp&ct=rc&cd=19&q=Digest%20access%20authentication%20lang:%5Ec%2B%2B$&sq=

from web2py.

From [email protected] on July 09, 2012 02:27:50

Looks like urllib2 has support for digest auth:

E.g. Used in the mercurial-api: http://danchr.bitbucket.org/mercurial-api/mercurial.url-pysrc.html#httpdigestauthhandler

from web2py.

From [email protected] on July 09, 2012 19:43:22

I can find the API to generate the digest credentials, not to validate them.

from web2py.

From [email protected] on July 11, 2012 00:20:06

Maybe this will be of help? - https://bitbucket.org/btimby/python-digest

from web2py.

From [email protected] on July 16, 2012 13:51:46

also here http://svn.cherrypy.org/trunk/cherrypy/lib/auth_digest.py

from web2py.

From [email protected] on August 07, 2012 20:07:02

Labels: -Type-Defect Type-Enhancement

from web2py.

IMHO there's a clash on what is required and how we handle auth.
One of the hard requirements for supporting the digest auth is to be able to reconstruct the original password in "cleartext".
If we stored those using md5 as we used to a long time ago, it would still be possible in some corner-cases, but I don't see how can we integrate HTTP digest with our current hashing scheme.

@mdipierro , @michele-comitini , @abastardi : opinions ?

from web2py.

I agree, really chaotic.
Impossible to apply to web2py, given an already existing set of
username/hashed-password. One would require the client to do the same hash
before starting the challenge or as you say, have the cleartext password.

Moreover IMHO it does not add any security to Basic Auth + TLS
https://tools.ietf.org/html/rfc2617#section-4.13
https://tools.ietf.org/html/rfc2617#section-4.14

2015-03-02 22:33 GMT+01:00 niphlod [email protected]:

IMHO there's a clash on what is required and how we handle auth.
One of the hard requirements for supporting the digest auth is to be able
to reconstruct the original password in "cleartext".
If we stored those using md5 as we used to a long time ago, it would still
be possible in some corner-cases, but I don't see how can we integrate HTTP
digest with our current hashing scheme.

@mdipierro https://github.com/mdipierro , @michele-comitini
https://github.com/michele-comitini , @abastardi
https://github.com/abastardi : opinions ?

—
Reply to this email directly or view it on GitHub
#621 (comment).

from web2py.

made little sense in 2012, but in 2015 I agree, there are FAR better alternatives for API authentication.
I'm a fan of Basic over HTTPS but hey, maybe it's just me.

from web2py.

@mdipierro : as always, you're the one who can rule definitely if this issue is still valid or has to be closed.

from web2py.

@mdipierro : this can be closed if you agree with @michele-comitini and me

from web2py.

closing after 2 months of lack of replies by @mdipierro .

from web2py.