SHA 256 Digest Authentication

[Rumyra]

Acceptance Criteria

• The listed features are documented sufficiently on MDN
• BCD is updated
• Interactive example and data repos are updated if appropriate
• The content has been reviewed as needed

For folks helping with Firefox related documentation

• Set bugs to dev-doc-complete
• Add entry to Firefox release notes if feature is enabled in release
  or
• Add entry to Firefox experimental features page if feature is not yet enabled in release

Features to document

Possibly an update here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Digest

Related Gecko bugs

https://bugzilla.mozilla.org/show_bug.cgi?id=472823

[hamishwillee]

Status update

• Confirming changes - https://bugzilla.mozilla.org/show_bug.cgi?id=472823#c49
• BCD - do we need subfeatures to track this? HTTP WWW-Authenticate - add scheme and algorithm info browser-compat-data#12446 and HTTP authentication header algorithms as subfeatures? browser-compat-data#12370
• Release note - FF93: Relnote: SHA256 available for HTTP Digest Authentication #9090
• Docs Update authorisation header and extend www-auth with digest #9014
• Dev-docs-complete

[gstrauss]

FYI, the lighttpd web server has supported HTTP Authentication method Digest with algorithm=SHA-256 (RFC 7616) since lighttpd 1.4.54 (May 2019). A few weeks ago, I tested lighttpd mod_auth with FF93 (alpha?) from the nightlies, and FF93 successfully authenticated using HTTP Auth Digest with algorithm=SHA-256. FF93 also correctly uses SHA-256 when lighttpd provides multiple WWW-Authenticate digest challenges (e.g. algorithm=SHA-256 and algorithm=MD5)

With FF93, Firefox joins Opera in supporting HTTP Authentication method Digest with algorithm=SHA-256. Chrome does not yet support Digest algorithm=SHA-256: https://bugs.chromium.org/p/chromium/issues/detail?id=1160478

[gstrauss]

BTW, https://en.wikipedia.org/wiki/Digest_access_authentication references Mozilla bug 472823 noting that Firefox does not (did not) support HTTP Auth Digest algorithm=SHA-256, so once FF93 is released, let's update the wikipedia page, too. (I'll try to remember.)

[hamishwillee]

@gstrauss Thanks! Opera is based on Chromium too nowdays (along with Edge) - is there some oddity that means they support this feature differently than Chrome?

[gstrauss]

@hamishwillee Someone reported that Opera with HTTP auth Digest algorithm-SHA-256 worked with lighttpd 1.4.54 in a forum post near the beginning of 2020: https://redmine.lighttpd.net/boards/2/topics/8903 and https://redmine.lighttpd.net/boards/2/topics/8955 However, I have not checked Opera, and that may no longer be true if Opera switched from Presto-based to Chromium-based. Thanks for calling that out.

[hamishwillee]

@gstrauss Cool. I can almost guarantee that it isn't supported on Opera if it isn't on Chromium. That said, I have not tested this, and I thought Chromium did. Just FYI

• I'm currently having to rewrite the MDN docs before I can do this properly - in particular the WWW-Authenticate headers assume Basic authentication. At the end of the process I hope that the docs are extensible - if someone wants to come along and write how to support oauth on MDN using this it will be fairly obvious how.
• For versions etc it still isn't clear the best way to capture what works. I'm hoping in Browser compatibility data, but that depends a bit on that team agreeing.

[hamishwillee]

FYI, I've done the bulk of the docs work for this now to satisfy the condition "The listed features are documented sufficiently on MDN". At least it is clear that "Basic authentication" isn't the only alternative. And if someone did want to do digest authentication, it would be clear where you got started (albeit you still "need" the spec for a detailed implementation).

Most of the remainder is getting review from BCD team - because I think it makes sense to include the things are supported by different browsers as a compatibility issue. If BCD disagree I may need to come back to the docs and try include that information there.

Upshot, this would be "OK" for release.

PS It would be nice if there was Parity in setup of Digest authentication for Apache, lighttpd but I don't see that as in scope/priority. It should be clear how/where you add that though, if needed.

[Rumyra]

That's perfect - thank you @hamishwillee