The problem I ran into was that a .Net based client was not able to authenticate when using query parameters. Examining the traffic between the client and the server (and comparing with browser-traffic that did work correctly) showed that the URI in the authorization did not include the Query part.
This fix first checks if the URI is identical. If not, it checks if the basic URI (without the Query-parameters) is identical. If the request-URI and authorization URI are not identical the authorization is declined.
This makes sure that .Net clients can use Digest authentication, while still maintaining a secure system.
erikdubbelboer
commented
7 years ago
The problem I ran into was that a .Net based client was not able to authenticate when using query parameters. Examining the traffic between the client and the server (and comparing with browser-traffic that did work correctly) showed that the URI in the authorization did not include the Query part. This fix first checks if the URI is identical. If not, it checks if the basic URI (without the Query-parameters) is identical. If the request-URI and authorization URI are not identical the authorization is declined. This makes sure that .Net clients can use Digest authentication, while still maintaining a secure system.