Digest authentication
Ktor supports HTTP digest authentication.It works differently than the basic/form auths:
authentication {
digest {
val password = "Circle Of Life"
digester = MessageDigest.getInstance("MD5")
realm = "testrealm@host.com"
userNameRealmPasswordDigestProvider = { userName, realm ->
when (userName) {
"missing" -> null
else -> {
digester.reset()
digester.update("$userName:$realm:$password".toByteArray())
digester.digest()
}
}
}
}
}
Instead of providing a verifier, you have to provide a userNameRealmPasswordDigestProvider
that is in charge ofreturning the HA1
part of the digest. In the case of MD5
: MD5("$username:$realm:$password")
.The idea is that you can store passwords already hashed.And only return the expected hash for a specific user, or null if the user does not exist.The callback is suspendable, so you can retrieve or compute the expected hash asynchronously,for example from disk or a database.
authentication {
val myRealm = "MyRealm"
val usersInMyRealmToHA1: Map<String, ByteArray> = mapOf(
// pass="test", HA1=MD5("test:MyRealm:pass")="fb12475e62dedc5c2744d98eb73b8877"
"test" to hex("fb12475e62dedc5c2744d98eb73b8877")
)
digest("auth") {
userNameRealmPasswordDigestProvider = { userName, realm ->
usersInMyRealmToHA1[userName]
}
}
}
HA1
(H(A1)
) comes from RFC 2069 (An Extension to HTTP: Digest Access Authentication)
HA1=MD5(username:realm:password) <-- You usually store this.
HA2=MD5(method:digestURI)
response=MD5(HA1:nonce:HA2) <-- The client and the server sends and checks this.
While realm
is guaranteed to be the realm
passed to the digestAuthentication
function and it is passed just for convenience,userName
can be any value, so take this into account and remember to escape and or validate it, when using that valuefor accessing the file system, accessing databases, storing it, generating HTML, etc.