Question

Consume REST Services with Digest Authentication

0

Hi, I am trying to connect to a REST API with Digest Authentication. I am trying to replicate a PUT request from using the following sample curl request - curl -v --digest --user *****:***** -H "Content-Type: application/xml" -X PUT -d '<person><first>John</first><last>Doe</last></person>' "http://localhost:8003/v1/documents?uri=/docs/person.xml" I have implemented a dummy GET request to get the WWW-Authenticate response header value I have tried to append the Username to this header and use it with a GET request immediately after that. But the response says unauthorized in all the combinations I've tried. Any pointers ? Regards, Kshitij

asked 2017-11-15

Kshitij Karandikar

2 answers

Corné Hoogendoorn · Answer 1 · 2017-11-15

Hi Kshitij,

So you were far on your way. I made a testcase tonight against the postman-echo service available for test purposes to test rest calls of which digest auth is one.(See informative urls below)

So I build a microflow(see modelshare below) which basically does the first request to the postman-echo service acquiring the authentication details. I then get the header "WWW-Authenticate" from the 401 result which consists in my case out of the following string:

"Digest realm="Users", nonce="Vcu7QjWhsj5zJbkAo6KSgxFqK0FFVks9", qop="auth"".

After extracting necesairly values i then go calculating the hashes. I created a java action for this with the following line of code:

return org.apache.commons.codec.digest.DigestUtils.md5Hex(stringToMd5);

After i've implemented this I can start with the first part, username in this case is "postman" and pass is "password". You can find the information for this call in the Url's below.

HA1= md5(user:realm:password)
= md5(postman:Users:password)
= d38e52b6bfcc38db1b146835e4e78d4a

then i go calculate the 2nd hash

HA2= md5(method:uri)
= md5(GET:/digest-auth)
= d44208d61728db39ce092dd4d9a3e278

Then as last i calculate the final response value to return with the authentication string:

Response= md5(ha1:nonce:ha2) = md5(d38e52b6bfcc38db1b146835e4e78d4a:Vcu7QjWhsj5zJbkAo6KSgxFqK0FFVks9:d44208d61728db39ce092dd4d9a3e278)
= 2113c6a0a925b5a101ab2d85e05b7031

Now we're ready to setup the authtentication string. In this case that would be:

Digest username="postman", realm="Users", nonce="Vcu7QjWhsj5zJbkAo6KSgxFqK0FFVks9", uri="/digest-auth", response="2113c6a0a925b5a101ab2d85e05b7031", opaque=""

And voila:

I hope this helps you on the way.

Regards,

Modelshare:

https://modelshare.mendix.com/models/dd0fc532-cf91-4f90-a491-dcf7ae943a15/digest-call

Urls:

https://docs.postman-echo.com/#70ed7920-ead1-2d20-645a-c716ab0fd137

https://docs.postman-echo.com/#a4c04e32-72cf-0475-07dc-89c23f85cf0c

Corné Hoogendoorn · Answer 2 · 2017-11-15

Hi Kshitij,

Could the solution suggested by Faried in the following topic help you?

https://forum.mendix.com/link/questions/17212

He basically suggest combining username and pass in a md5 hashed string and add this combination to the header for authentication.

Regards