Add Digest Authentication to client #788
Conversation
Uses the python3-digest package to decode the HTTP digest authorisation challenge and create an appropriate extra header to authenticate.
|
Thanks for the PR. The approach looks correct. Currently websockets has no external dependencies. I'll take a look at how hard it is to reproduce the digest auth algorithm. Probably not very hard; using a dependency was a good idea for this PoC. I'm half-way through a gigantic refactor (#676) so I'd like to avoid creating conflicts for a few more days. That said, I'm optimistic that we'll make this work :-) |
|
Is there an example on how to use this option? I took a look at the diff for the Commit, but I don't see anything obvious like a change in the ws.connect() method. Are you passing in an extra_header or is there something I'm missing that turns on Digest auth? If I can get it working I'm happy to add an example in the vein of basic_auth_client.py |
|
You just connect: If digest auth is enabled on the server, the connect method will respond to the challenge and insert a new header. |
|
Thank you! I tracked the issue down to the server I'm connecting to - it does not form 401's correctly when given a basic auth header. Instead, it terminates the TCP connection abruptly, which was stopping your code from detecting the auth type correctly. This behavior is against the HTTP standard but alas, I'm stuck with this server. I'd be happy to send through packet captures, curl logs, or the logs from urllib3/websockets if they would help anyone. Not sure it is worth going out of the way to support a device that isn't conforming to standards, but some way to force digest auth would probably be all it takes. |
aaugustin
force-pushed
the
master
branch
2 times, most recently
from
5246956
to
ecf64e7
Compare
aaugustin
force-pushed
the
main
branch
2 times, most recently
from
1726dba
to
61e0e1c
Compare
|
@wom-bat, thank you for this PR. It was a huge help and enabled me to use digest authentication for my application. In my case, I had to hack python3-digest to not require the 'opaque' field because the server my application connects to does not send it. It looked like python3-digest is not actively maintained so I didn't try submitting an issue. Also, the PR no longer merged for me due to changes to websockets. Attached is a patch that re-implements it on the latest websockets, in case it's useful to someone: (GitHub won't allow me to upload it with the .patch extension. If anyone could tell me what I'm doing wrong I'd appreciate it.) |
aaugustin
force-pushed
the
main
branch
2 times, most recently
from
dba135f
to
e10eeba
Compare
aaugustin
force-pushed
the
main
branch
2 times, most recently
from
c760cdf
to
5eafbe4
Compare
Uses the python3-digest package to decode the HTTP digest authorisation challenge
and create an appropriate extra header to authenticate.
This addresses issue #784 -- it's really a straw-man PR, as a start at how one might do it. I'm sure there are better ways...