New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/http: add digest access authentication to Transport #29409
Comments
Thank you @Baozisoftware for filing this request and welcome to the Go project! I'll page some experts @bradfitz @FiloSottile @agl. |
I'm not opposed. I would use this functionality myself. (I have code in a number of places to do this by hand, which gets tedious.) Please start by proposing a concrete API. Once we like the API we can then move on to reviewing code. |
The best third party library I've found is https://github.com/bobziuchkovski/digest edit: I ended up implementing my own package which re-uses challenges for the same domain. https://github.com/icholy/digest |
Hi, as I've exposed in a telegraf issue I'll like to also suggest the support for Digest authentication in http. Let me quote:
and
Take in mind that many companies use Digest auth by default instead of basic auth because of the added security features. Even Digest is not perfect or the best, it's at least a step forward to basic auth. Thanks ! |
(This ticket has the Proposal-Accepted label but it looks like there wasn't ever an API proposed?) A rough proposed API that extends
|
I see two separate concerns here, which I feel should be addressed separately: request authentication (the Disclosure: I'm more interested in the latter, having had to implement it. This may color my views bellow. Request authenticationI haven't had to implement this, so please correct me if I'm wrong. Digest authentication for requests:
Proxy authenticationDigest authentication for proxies:
As I've said, I had to implement this myself, Having had to implement this, I personally feel the standard library is the correct place to do it. Some proxies that do not currently work, would suddenly begin to work, and that would be the only user visible change (also, their credentials would not leak as easily). Particularly concerning to me was that, for HTTP proxies, Go leaks user credentials in the clear by issuing TLDRIf there's any interest in Digest authentication for proxies, I would be willing to clean up and improve my implementation (there's work to do), and adapt it for inclusion in the standard library. I have the following questions/concerns regarding implementation:
Comments, suggestions? Should I go ahead with this? |
I tried to add Digest access authentication support in http.Transport today. currently it is available for proxy servers. (compatible with basic auth,but not tested.)
I hope the official can integrate it. After all, this is a base library.
Reference: https://github.com/delphinus/go-digest-request
Mainly modified:
Transport.roundTrip
Transport.dialConn
The text was updated successfully, but these errors were encountered: