The Digest authentication scheme is a part of HTTP framework used for access control and authentication. In this scheme, a hash function is applied to a user name and password before sending them over the network.
Ktor allows you to use digest authentication for logging in users and protecting specific routes. You can get general information about authentication in Ktor in the Authentication and authorization section.
digest authentication, you need to include the
ktor-auth artifact in the build script:
Digest authentication flow
The digest authentication flow looks as follows:
A client makes a request without the
Authorizationheader to a specific route in a server application.
A server responds to a client with a
401(Unauthorized) response status and uses a
WWW-Authenticateresponse header to provide information that the digest authentication scheme is used to protect a route. A typical
WWW-Authenticateheader looks like this:WWW-Authenticate: Digest realm="Access to the '/' path", nonce="e4549c0548886bc2", algorithm="MD5"
In Ktor, you can specify the realm and the way of generating a nonce value when configuring the
Usually a client displays a login dialog where a user can enter credentials. Then, a client makes a request with the following
Authorizationheader:Authorization: Digest username="jetbrains", realm="Access to the '/' path", nonce="e4549c0548886bc2", uri="/", algorithm=MD5, response="6299988bb4f05c0d8ad44295873858cf"
responsevalue is generated in the following way:
HA1 = MD5(username:realm:password)
HA2 = MD5(method:digestURI)
response = MD5(HA1:nonce:HA2)
A server validates credentials sent by a client and responds with the requested content.
Install digest authentication
To install the
digest authentication provider, call digest function inside the
Configure digest authentication
To get a general idea on how to configure different authentication providers in Ktor, see Configure Authentication. In this section, we'll see on configuration specifics of the
digest authentication provider.
Step 1: Provide a user table with digests
digest authentication provider validates user credentials using the
HA1 part of a digest message. So, you can provide a user table that contains user names and corresponding
HA1 hashes. In the example below, the
getMd5Digest function is used to generate
Step 2: Configure a digest provider
digest authentication provider exposes its settings via the DigestAuthenticationProvider.Configuration class. In the example below, the following settings are specified:
realmproperty sets the realm to be passed in
digestProviderfunction fetches the
HA1part of digest for a specified user name.
You can also use the nonceManager property to specify how to generate nonce values.
Step 3: Define authorization scope
After configuring the
digest provider, you can define the authorization for the different resources in our application using the
authenticate function. In a case of successful authentication, you can retrieve an authenticated UserIdPrincipal inside a route handler using the call.principal function and get a name of an authenticated user.