Each of the Authorization directives is described in Table F-2, paraphrased from the descriptions in RFC 2617. Refer to the official specifications for the most up-to-date details.

Table F-2. Digest Authorization header directives (from RFC 2617)

Directive Description
username The user's name in the specified realm.
realm The realm passed to the client in the WWW-Authenticate header.
nonce The same nonce passed to the client in the WWW-Authenticate header.
uri The URI from the request URI of the request line; duplicated because proxies are allowed to change the request line in transit, and we may need the original URI for proper digest verification calculations.
response This is the actual digest-the whole point of digest authentication! The response is a string of 32 hexadecimal digits, computed by a negotiated digest algorithm, which proves that the user knows the password.
algorithm A string indicating a pair of algorithms used to produce the digest and a checksum. If this is not present, it is assumed to be "MD5".
opaque A string of data, specified by the server in a WWW-Authenticate header, that should be returned by the client unchanged in the Authorization header of subsequent requests with URIs in the same protection space.
cnonce This must be specified if a qop directive is sent and must not be specified if the server did not send a qop directive in the WWW-Authenticate header field.

The cnonce value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, to provide mutual authentication, and to provide some message-integrity protection.

See the descriptions of the response-digest and request-digest calculations later in this appendix.

qop Indicates what "quality of protection" the client has applied to the message. If present, its value must be one of the alternatives the server indicated it supports in the WWW-Authenticate header. These values affect the computation of the request digest.

This is a single token, not a quoted list of alternatives, as in WWW-Authenticate.

This directive is optional, to preserve backward compatibility with a minimal implementation of RFC 2069, but it should be used if the server indicated that qop is supported by providing a qop directive in the WWW-Authenticate header field.

nc This must be specified if a qop directive is sent and must not be specified if the server did not send a qop directive in the WWW-Authenticate header field.

The value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request. For example, in the first request sent in response to a given nonce value, the client sends nc="00000001".

The purpose of this directive is to allow the server to detect request replays by maintaining its own copy of this count-if the same nc value is seen twice, the request is a replay.

<extension> This directive allows for future extensions. Any unrecognized directive must be ignored.

 


Hypertext Transfer Protocol (HTTP)