DEV Community: Callum Houghton The latest articles on DEV Community by Callum Houghton (@callumhoughton18). https://dev.to/callumhoughton18 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F740076%2Fd46f6ba6-27e0-4d62-b44f-506d2daddd06.jpeg DEV Community: Callum Houghton https://dev.to/callumhoughton18 en Implementing Digest Authentication in .NET Callum Houghton Thu, 05 May 2022 14:30:14 +0000 https://dev.to/callumhoughton18/implementing-digest-authentication-in-net-396j https://dev.to/callumhoughton18/implementing-digest-authentication-in-net-396j <p><strong>UPDATE (03/10/2022): .NET 6 should now successfully do digest authentication, <a href="https://github.com/CallumHoughton18/csharp-dotnet-digest-authentication/issues/1">as kindly pointed by someone in the example repository</a>. Should save you the hassle of doing it manually, like in this blog post!</strong></p> <p>'The HttpClient class should handle this' I hear you say. Well, unfortunately setting network credentials on a HttpClient instance didn't seem to work for me. <a href="https://stackoverflow.com/questions/62190100/c-sharp-httpclient-digest-authentication-not-work">Multiple</a> <a href="https://stackoverflow.com/questions/59939357/net-core-httpclient-digest-authentication">people</a> <a href="https://stackoverflow.com/questions/65761976/net-5-httpclient-digest-authentication">seem</a> <a href="https://github.com/dotnet/runtime/issues/50283">to</a> be reporting that they also were running into issues. I couldn't find any information as to whether this should be fixed in .NET 6, plus I needed it to be portable to .NET Framework 4.8 (💀💀💀). Either way, I'm going to run through how I implemented digest authentication as an extension method for the HttpClient class.</p> <p><strong>TL;DR: You can read the code in my GitHub repository <a href="https://github.com/CallumHoughton18/csharp-dotnet-digest-authentication">here</a>, the README provides an example usage. For one request we generate two requests using my method as nothing (nonces, nonce counts) is cached. You can probably cache the header and implement the nonce count properly but that is beyond the scope of what I needed.</strong></p> <p>This isn't going to implement the full RFC specification for digest authentication. Instead it should be a pretty good starting point for people looking for something that 'just works'.</p> <p>I'll be using <a href="https://httpbin.org/">Httpbin</a> to simulate the digest authentication workflow.</p> <h3> Prerequisites </h3> <ul> <li>Familiarity with .NET development</li> <li>Familiarity with HTTP</li> <li>A fuzzy idea of what digest authentication is and or knowledge of basic authentication</li> <li>Be frustrated that .NET doesn't do this for you (❗<strong>IMPORTANT</strong>❗)</li> </ul> <h3> Digest Authentication - An Overview </h3> <p><a href="https://en.wikipedia.org/wiki/Digest_access_authentication">Wikipedia already gives a great overview</a> of how digest authentication works. If you want a more in depth explanation you should probably read that. But to follow along all you really need to know is:</p> <ul> <li>A request is sent, the server responds with a 401, and the response has a header like:</li> </ul> <blockquote> <p>WWW-Authenticate: Digest realm="<a href="mailto:testrealm@host.com">testrealm@host.com</a>",<br> qop="auth",<br> nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",<br> opaque="5ccc069c403ebaf9f0171e9517f40e41"</p> </blockquote> <ul> <li>You parse the header and retrieve the realm, qop (quality of protection), nonce, and opaque challenges.</li> <li>Using a combination of the username, password, and nonces you calculate some new hashes and build up an Authorization header like:</li> </ul> <blockquote> <p>Authorization: Digest username="Mufasa",<br> realm="<a href="mailto:testrealm@host.com">testrealm@host.com</a>",<br> nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",<br> uri="/dir/index.html",<br> qop=auth,<br> nc=00000001,<br> cnonce="0a4f113b",<br> response="6629fae49393a05397450978507c4ef1",<br> opaque="5ccc069c403ebaf9f0171e9517f40e41"</p> </blockquote> <ul> <li>You then resend the request with the given authorization header, which should allow you access to the resource.</li> </ul> <p>A couple of things to note here. One being that in my use case I only needed to use MD5 as my hashing algorithm. Digest authentication can also use SHA-256, and this is usually specified in the challenge <code>algorithm=SHA-256,</code> in the WWW-Authenticate header. <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate">Though the mdn web docs suggest this isn't really supported and rarely used</a> so for simplicity I haven't accounted for my use case.</p> <p>The last thing is that the quality of protection (qop) challenge can have more values than just 'auth'. Some examples you may see it like <code>qop=auth-int</code> where <code>auth-int</code> is authentication with integrity protection. Again, I didn't need to account for this for my use case.</p> <h3> Interpreting the 401 Error </h3> <p>Below, you can see the code for wiring up a HttpClient instance to try and get a resource at httpbin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">client</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HttpClient</span><span class="p">();</span> <span class="n">client</span><span class="p">.</span><span class="n">BaseAddress</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"https://httpbin.org"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">GetAsync</span><span class="p">(</span><span class="s">"/digest-auth/auth/username/password"</span><span class="p">);</span> </code></pre> </div> <p>You can see the response code is 401 if you inspect it with a debugger.</p> <p>Digging further you can see one of the response headers is <code>WWW-Authenticate: Digest realm="me@kennethreitz.com", nonce="dd355b0ef0f19b473c6a6609aa288adb", qop="auth", opaque="5a6aa7c0f368ef5c3ae070778fcd54f2", algorithm=MD5, stale=FALSE</code>. This is our first indication that this response is an authentication challenge response, it even gives us the authentication type: <code>Digest</code>.</p> <h3> Parsing the WWW-Authenticate Header </h3> <p>Using the code below we can parse the WWW-Authenticate header to pull out the values we need to generate an authorization header. Which will be added to our second, authenticated, request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">wwwAuthenticateHeaderValue</span> <span class="p">=</span> <span class="n">response</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">GetValues</span><span class="p">(</span><span class="s">"WWW-Authenticate"</span><span class="p">).</span><span class="nf">FirstOrDefault</span><span class="p">();</span> <span class="kt">var</span> <span class="n">realm</span> <span class="p">=</span> <span class="nf">GrabHeaderVar</span><span class="p">(</span><span class="s">"realm"</span><span class="p">,</span> <span class="n">wwwAuthenticateHeaderValue</span><span class="p">);</span> <span class="kt">var</span> <span class="n">nonce</span> <span class="p">=</span> <span class="nf">GrabHeaderVar</span><span class="p">(</span><span class="s">"nonce"</span><span class="p">,</span> <span class="n">wwwAuthenticateHeaderValue</span><span class="p">);</span> <span class="kt">var</span> <span class="n">qop</span> <span class="p">=</span> <span class="nf">GrabHeaderVar</span><span class="p">(</span><span class="s">"qop"</span><span class="p">,</span> <span class="n">wwwAuthenticateHeaderValue</span><span class="p">);</span> <span class="kt">var</span> <span class="n">clientNonce</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Random</span><span class="p">().</span><span class="nf">Next</span><span class="p">(</span><span class="m">123400</span><span class="p">,</span> <span class="m">9999999</span><span class="p">).</span><span class="nf">ToString</span><span class="p">();</span> <span class="kt">var</span> <span class="n">opaque</span> <span class="p">=</span> <span class="nf">GrabHeaderVar</span><span class="p">(</span><span class="s">"opaque"</span><span class="p">,</span> <span class="n">wwwAuthenticateHeaderValue</span><span class="p">);</span> <span class="k">private</span> <span class="k">static</span> <span class="kt">string</span> <span class="nf">GetChallengeValueFromHeader</span><span class="p">(</span><span class="kt">string</span> <span class="n">challengeName</span><span class="p">,</span> <span class="kt">string</span> <span class="n">fullHeaderValue</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// if variableName = qop, the below regex would look like qop="([^""]*)"</span> <span class="c1">// So it matches anything with the challenge name and then gets the challenge value</span> <span class="kt">var</span> <span class="n">regHeader</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Regex</span><span class="p">(</span><span class="s">$@"</span><span class="p">{</span><span class="n">challengeName</span><span class="p">}</span><span class="s">=""([^""]*)"""</span><span class="p">);</span> <span class="kt">var</span> <span class="n">matchHeader</span> <span class="p">=</span> <span class="n">regHeader</span><span class="p">.</span><span class="nf">Match</span><span class="p">(</span><span class="n">fullHeaderValue</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">matchHeader</span><span class="p">.</span><span class="n">Success</span><span class="p">)</span> <span class="k">return</span> <span class="n">matchHeader</span><span class="p">.</span><span class="n">Groups</span><span class="p">[</span><span class="m">1</span><span class="p">].</span><span class="n">Value</span><span class="p">;</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">ApplicationException</span><span class="p">(</span><span class="s">$"Header </span><span class="p">{</span><span class="n">challengeName</span><span class="p">}</span><span class="s"> not found"</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>I then opt'd to throw the parsed challenge values into a class just to make it easier to manage. You'll also notice here I'm not doing anything fancy with maintaining the nonce count state. <strong>This is because if the server see's the same nonce count for a previously sent nonce, the response will be a replay</strong>. This was fine for my use case where I was just accessing static content, but it's something to keep in mind. This <em>might</em> lead to servers rejecting a request if they interpret it as a replay attack. That sounds like a problem for another day to me 👉😎👉.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">digestHeader</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">DigestAuthHeader</span><span class="p">(</span><span class="n">realm</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="n">nonce</span><span class="p">,</span> <span class="n">qop</span><span class="p">,</span> <span class="n">nonceCount</span><span class="p">:</span> <span class="m">1</span><span class="p">,</span> <span class="n">clientNonce</span><span class="p">,</span> <span class="n">opaque</span><span class="p">);</span> <span class="k">internal</span> <span class="k">class</span> <span class="nc">DigestAuthHeader</span> <span class="p">{</span> <span class="k">public</span> <span class="nf">DigestAuthHeader</span><span class="p">(</span><span class="kt">string</span> <span class="n">realm</span><span class="p">,</span> <span class="kt">string</span> <span class="n">username</span><span class="p">,</span> <span class="kt">string</span> <span class="n">password</span><span class="p">,</span> <span class="kt">string</span> <span class="n">nonce</span><span class="p">,</span> <span class="kt">string</span> <span class="n">qualityOfProtection</span><span class="p">,</span> <span class="kt">int</span> <span class="n">nonceCount</span><span class="p">,</span> <span class="kt">string</span> <span class="n">clientNonce</span><span class="p">,</span> <span class="kt">string</span> <span class="n">opaque</span><span class="p">)</span> <span class="p">{</span> <span class="n">Realm</span> <span class="p">=</span> <span class="n">realm</span><span class="p">;</span> <span class="n">Username</span> <span class="p">=</span> <span class="n">username</span><span class="p">;</span> <span class="n">Password</span> <span class="p">=</span> <span class="n">password</span><span class="p">;</span> <span class="n">Nonce</span> <span class="p">=</span> <span class="n">nonce</span><span class="p">;</span> <span class="n">QualityOfProtection</span> <span class="p">=</span> <span class="n">qualityOfProtection</span><span class="p">;</span> <span class="n">NonceCount</span> <span class="p">=</span> <span class="n">nonceCount</span><span class="p">;</span> <span class="n">ClientNonce</span> <span class="p">=</span> <span class="n">clientNonce</span><span class="p">;</span> <span class="n">Opaque</span> <span class="p">=</span> <span class="n">opaque</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Realm</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Username</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Password</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Nonce</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">QualityOfProtection</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">int</span> <span class="n">NonceCount</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">ClientNonce</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Opaque</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Generating the Challenge Response Header </h3> <p>With the challenge values pulled out we can generate the challenge response <code>Authorization</code> header value, using the code below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">private</span> <span class="k">static</span> <span class="kt">string</span> <span class="nf">GenerateMD5Hash</span><span class="p">(</span><span class="kt">string</span> <span class="n">input</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// x2 formatter is for hexadecimal in the ToString function</span> <span class="k">using</span> <span class="nn">MD5</span> <span class="n">hash</span> <span class="p">=</span> <span class="n">MD5</span><span class="p">.</span><span class="nf">Create</span><span class="p">();</span> <span class="k">return</span> <span class="kt">string</span><span class="p">.</span><span class="nf">Concat</span><span class="p">(</span><span class="n">hash</span><span class="p">.</span><span class="nf">ComputeHash</span><span class="p">(</span><span class="n">Encoding</span><span class="p">.</span><span class="n">UTF8</span><span class="p">.</span><span class="nf">GetBytes</span><span class="p">(</span><span class="n">input</span><span class="p">))</span> <span class="p">.</span><span class="nf">Select</span><span class="p">(</span> <span class="n">x</span> <span class="p">=&gt;</span> <span class="n">x</span><span class="p">.</span><span class="nf">ToString</span><span class="p">(</span><span class="s">"x2"</span><span class="p">))</span> <span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="k">static</span> <span class="kt">string</span> <span class="nf">GetDigestHeader</span><span class="p">(</span><span class="n">DigestAuthHeader</span> <span class="n">digest</span><span class="p">,</span> <span class="kt">string</span> <span class="n">digestUri</span><span class="p">,</span> <span class="n">HttpMethod</span> <span class="n">method</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">ha1</span> <span class="p">=</span> <span class="nf">GenerateMD5Hash</span><span class="p">(</span><span class="s">$"</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">Username</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">Realm</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">Password</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">ha2</span> <span class="p">=</span> <span class="nf">GenerateMD5Hash</span><span class="p">(</span><span class="s">$"</span><span class="p">{</span><span class="n">method</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">digestUri</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">digestResponse</span> <span class="p">=</span> <span class="nf">GenerateMD5Hash</span><span class="p">(</span><span class="s">$"</span><span class="p">{</span><span class="n">ha1</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">Nonce</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">NonceCount</span><span class="p">:</span><span class="m">00000000</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">ClientNonce</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">QualityOfProtection</span><span class="p">}</span><span class="s">:</span><span class="p">{</span><span class="n">ha2</span><span class="p">}</span><span class="s">"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">headerString</span> <span class="p">=</span> <span class="s">$"Digest username=\"</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">Username</span><span class="p">}</span><span class="s">\", realm=\"</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">Realm</span><span class="p">}</span><span class="s">\", nonce=\"</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">Nonce</span><span class="p">}</span><span class="s">\", uri=\"</span><span class="p">{</span><span class="n">digestUri</span><span class="p">}</span><span class="s">\", "</span> <span class="p">+</span> <span class="s">$"algorithm=MD5, qop=</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">QualityOfProtection</span><span class="p">}</span><span class="s">, nc=</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">NonceCount</span><span class="p">:</span><span class="m">00000000</span><span class="p">}</span><span class="s">, cnonce=\"</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">ClientNonce</span><span class="p">}</span><span class="s">\", "</span> <span class="p">+</span> <span class="s">$"response=\"</span><span class="p">{</span><span class="n">digestResponse</span><span class="p">}</span><span class="s">\", opaque=\"</span><span class="p">{</span><span class="n">digest</span><span class="p">.</span><span class="n">Opaque</span><span class="p">}</span><span class="s">\""</span><span class="p">;</span> <span class="k">return</span> <span class="n">headerString</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Because I'm super lazy, I'll copy and paste the Wikipedia explanation that links to the above code section:</p> <p>The "response" value is calculated in three steps, as follows. Where values are combined, they are delimited by colons.</p> <ol> <li>The MD5 hash of the combined username, authentication realm and password is calculated. The result is referred to as Ha1.</li> <li>The MD5 hash of the combined method and digest URI is calculated, e.g. of "GET" and "/dir/index.html". The result is referred to as Ha2.</li> <li>The MD5 hash of the combined HA1 result, server nonce (nonce), request counter (nc), client nonce (cnonce), quality of protection code (qop) and HA2 result is calculated. The result is the "response" value provided by the client.</li> </ol> <h3> Extending the HttpClient class </h3> <p>I decided to wrap all this authentication and re-sending requests in an extension method, which you can see below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">static</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">HttpResponseMessage</span><span class="p">&gt;</span> <span class="nf">SendWithDigestAuthAsync</span><span class="p">(</span><span class="k">this</span> <span class="n">HttpClient</span> <span class="n">client</span><span class="p">,</span> <span class="n">HttpRequestMessage</span> <span class="n">request</span><span class="p">,</span> <span class="n">HttpCompletionOption</span> <span class="n">httpCompletionOption</span><span class="p">,</span> <span class="kt">string</span> <span class="n">username</span><span class="p">,</span> <span class="kt">string</span> <span class="n">password</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">newRequest</span> <span class="p">=</span> <span class="nf">CloneBeforeContentSet</span><span class="p">(</span><span class="n">request</span><span class="p">);</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">SendAsync</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">httpCompletionOption</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="n">StatusCode</span> <span class="p">!=</span> <span class="n">System</span><span class="p">.</span><span class="n">Net</span><span class="p">.</span><span class="n">HttpStatusCode</span><span class="p">.</span><span class="n">Unauthorized</span><span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">;</span> <span class="kt">var</span> <span class="n">wwwAuthenticateHeaderValue</span> <span class="p">=</span> <span class="n">response</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">GetValues</span><span class="p">(</span><span class="s">"WWW-Authenticate"</span><span class="p">).</span><span class="nf">FirstOrDefault</span><span class="p">();</span> <span class="kt">var</span> <span class="n">realm</span> <span class="p">=</span> <span class="nf">GetChallengeValueFromHeader</span><span class="p">(</span><span class="s">"realm"</span><span class="p">,</span> <span class="n">wwwAuthenticateHeaderValue</span><span class="p">);</span> <span class="kt">var</span> <span class="n">nonce</span> <span class="p">=</span> <span class="nf">GetChallengeValueFromHeader</span><span class="p">(</span><span class="s">"nonce"</span><span class="p">,</span> <span class="n">wwwAuthenticateHeaderValue</span><span class="p">);</span> <span class="kt">var</span> <span class="n">qop</span> <span class="p">=</span> <span class="nf">GetChallengeValueFromHeader</span><span class="p">(</span><span class="s">"qop"</span><span class="p">,</span> <span class="n">wwwAuthenticateHeaderValue</span><span class="p">);</span> <span class="c1">// Must be fresh on every request, so low chance of same client nonce here by just using a random number.</span> <span class="kt">var</span> <span class="n">clientNonce</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Random</span><span class="p">().</span><span class="nf">Next</span><span class="p">(</span><span class="m">123400</span><span class="p">,</span> <span class="m">9999999</span><span class="p">).</span><span class="nf">ToString</span><span class="p">();</span> <span class="kt">var</span> <span class="n">opaque</span> <span class="p">=</span> <span class="nf">GetChallengeValueFromHeader</span><span class="p">(</span><span class="s">"opaque"</span><span class="p">,</span> <span class="n">wwwAuthenticateHeaderValue</span><span class="p">);</span> <span class="kt">var</span> <span class="n">digestHeader</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">DigestAuthHeader</span><span class="p">(</span><span class="n">realm</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span> <span class="n">nonce</span><span class="p">,</span> <span class="n">qop</span><span class="p">,</span> <span class="n">nonceCount</span><span class="p">:</span> <span class="m">1</span><span class="p">,</span> <span class="n">clientNonce</span><span class="p">,</span> <span class="n">opaque</span><span class="p">);</span> <span class="kt">var</span> <span class="n">digestRequestHeader</span> <span class="p">=</span> <span class="nf">GetDigestHeader</span><span class="p">(</span><span class="n">digestHeader</span><span class="p">,</span> <span class="n">newRequest</span><span class="p">.</span><span class="n">RequestUri</span><span class="p">.</span><span class="nf">ToString</span><span class="p">(),</span> <span class="n">request</span><span class="p">.</span><span class="n">Method</span><span class="p">);</span> <span class="n">newRequest</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">,</span> <span class="n">digestRequestHeader</span><span class="p">);</span> <span class="kt">var</span> <span class="n">authRes</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">SendAsync</span><span class="p">(</span><span class="n">newRequest</span><span class="p">,</span> <span class="n">httpCompletionOption</span><span class="p">);</span> <span class="k">return</span> <span class="n">authRes</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">static</span> <span class="n">HttpRequestMessage</span> <span class="nf">CloneBeforeContentSet</span><span class="p">(</span><span class="k">this</span> <span class="n">HttpRequestMessage</span> <span class="n">req</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Deep clone of a given request, outlined here:</span> <span class="c1">// https://stackoverflow.com/questions/18000583/re-send-httprequestmessage-exception/18014515#18014515</span> <span class="n">HttpRequestMessage</span> <span class="n">clone</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HttpRequestMessage</span><span class="p">(</span><span class="n">req</span><span class="p">.</span><span class="n">Method</span><span class="p">,</span> <span class="n">req</span><span class="p">.</span><span class="n">RequestUri</span><span class="p">);</span> <span class="n">clone</span><span class="p">.</span><span class="n">Content</span> <span class="p">=</span> <span class="n">req</span><span class="p">.</span><span class="n">Content</span><span class="p">;</span> <span class="n">clone</span><span class="p">.</span><span class="n">Version</span> <span class="p">=</span> <span class="n">req</span><span class="p">.</span><span class="n">Version</span><span class="p">;</span> <span class="k">foreach</span> <span class="p">(</span><span class="n">KeyValuePair</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">,</span> <span class="kt">object</span><span class="p">&gt;</span> <span class="n">prop</span> <span class="k">in</span> <span class="n">req</span><span class="p">.</span><span class="n">Properties</span><span class="p">)</span> <span class="p">{</span> <span class="n">clone</span><span class="p">.</span><span class="n">Properties</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="n">prop</span><span class="p">);</span> <span class="p">}</span> <span class="k">foreach</span> <span class="p">(</span><span class="n">KeyValuePair</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">,</span> <span class="n">IEnumerable</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;&gt;</span> <span class="n">header</span> <span class="k">in</span> <span class="n">req</span><span class="p">.</span><span class="n">Headers</span><span class="p">)</span> <span class="p">{</span> <span class="n">clone</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">TryAddWithoutValidation</span><span class="p">(</span><span class="n">header</span><span class="p">.</span><span class="n">Key</span><span class="p">,</span> <span class="n">header</span><span class="p">.</span><span class="n">Value</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">clone</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> The Final Call 🤞 </h3> <p>With all the nasty authentication stuff abstracted away the final function calls should look fairly simple and you're really just substituting one method call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">client</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HttpClient</span><span class="p">();</span> <span class="n">client</span><span class="p">.</span><span class="n">BaseAddress</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">Uri</span><span class="p">(</span><span class="s">"https://httpbin.org"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">request</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">HttpRequestMessage</span><span class="p">(</span><span class="n">HttpMethod</span><span class="p">.</span><span class="n">Get</span><span class="p">,</span> <span class="s">"/digest-auth/auth/username/password"</span><span class="p">);</span> <span class="n">request</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"Accept"</span><span class="p">,</span> <span class="s">"*/*"</span><span class="p">);</span> <span class="n">request</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"User-Agent"</span><span class="p">,</span> <span class="s">"HttpClientDigestAuthTester"</span><span class="p">);</span> <span class="n">request</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"Accept-Encoding"</span><span class="p">,</span> <span class="s">"gzip, deflate, br"</span><span class="p">);</span> <span class="n">request</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"Connection"</span><span class="p">,</span> <span class="s">"keep-alive"</span><span class="p">);</span> <span class="c1">// This will no respond with a 200 status code</span> <span class="kt">var</span> <span class="n">response</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">SendWithDigestAuthAsync</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">HttpCompletionOption</span><span class="p">.</span><span class="n">ResponseContentRead</span><span class="p">,</span> <span class="s">"username"</span><span class="p">,</span> <span class="s">"password"</span><span class="p">);</span> <span class="c1">// this is what originally gave a 401 status code</span> <span class="c1">//var response = await client.GetAsync("/digest-auth/auth/username/password");</span> </code></pre> </div> <p>Inspecting the response object should show it now responds with a 200 status code, so we've successfully performed the authentication dance with the server!</p> <h3> Final Words </h3> <p>Hopefully someone informs me that there's a simpler more '.NET' way of doing this. Where .NET does most of the heavy lifting for you. If anyone does, be sure to reach out and I'll happily strike through this entire post and point out the better way of doing it.</p> <p>As I mentioned in a previous section this implementation is far from implementing the full RFC specification for digest authentication, but it should be a decent starting point.</p> <p>The code for this is on my <a href="https://github.com/CallumHoughton18/csharp-dotnet-digest-authentication">GitHub</a> so feel free to have a look through or make any suggestions.</p> csharp dotnet digestauthentication authentication