Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HTTP Digest Access Authentication to the http input #4524

Closed
danielnelson opened this issue Aug 6, 2018 · 11 comments
Closed

Add HTTP Digest Access Authentication to the http input #4524

danielnelson opened this issue Aug 6, 2018 · 11 comments
Assignees
Labels
feature request Requests for new plugin and for new features to existing plugins waiting for response waiting for response from contributor

Comments

@danielnelson
Copy link
Contributor

Feature Request

Proposal:

The http input plugin should support HTTP Digest Authentication as desribed in rfc2617.

There has been prior discussion of this feature on #461

Current behavior:

No support

Desired behavior:

Support added.

Example

curl --user aaa:bbb "http://xxx.yyy" --digest -v
Authorization: Digest username="root", realm="Forbidden", nonce="04d5b48c5e6c8b9b3dd84af4ce6b7643", uri="/", cnonce="OTEyZTZkMTExZjk1NDAxM2EyMDdlMThlNDc4MTM4MGM=", nc=00000001, qop=auth, response="a2ac73d78e199580a2c8546ac4ba7229", opaque="7a6a2abf367f778892c5db364070449f", algorithm="MD5"

Use case:

Needed for interop with servers expecting digest authentication

@danielnelson danielnelson added the feature request Requests for new plugin and for new features to existing plugins label Aug 6, 2018
@danielnelson
Copy link
Contributor Author

@spidie @marianob85 @aashley This issue replaces #461

@yaazkal
Copy link

yaazkal commented Nov 27, 2019

Hello, I wonder if this feature request has any chance to be implemented.
Regards !

@russorat
Copy link
Contributor

@yaazkal no this issue is still pending. Could you add your use case and why this addition would be helpful for you to help us prioritize against the other work in the project? Also, if someone from the community would like to take a stab at implementing this, we would be glad to review the PR. Thanks!

@yaazkal
Copy link

yaazkal commented Nov 27, 2019

@russorat Thanks for the answer.

About Digest authentication (context)
The Digest authentication scheme [...] is intended as a replacement for Basic authentication and nothing more. as seen on rfc2617 section 3.1.4

The protocol referred to as "HTTP/1.0" includes the specification for a Basic Access Authentication scheme[1]. That scheme is not considered to be a secure method of user authentication, as the user name and password are passed over the network in an unencrypted form. This section provides the specification for a scheme that does not send the password in cleartext, referred to as "Digest Access Authentication". as seen on rfc2617 section 3.1.1

Why is good to have it implemented
As is the replacement of the basic auth; many companies has opted to use it as the default way of authentication in their web servers, this of course is not the safest authentication method, it has its own limitations but is the prefered method against basic auth.

My use case
I'm using telegraf to consume an url that will result in a csv file as described in page 6 of this document.

This is to use an API that a device called egauge has. The device dosen't support basic auth but digest authentication by default. As every device has it's own web server and I can't change its configuration (and If I can I will not want to because of the reference above), I'm forced to use Digest for every device, now as I'm using ansible to provision many raspberry pi and then every pi will consume an egauge device, this can solve my specific use case multiplied by the devices I'll provision :)

Anyway I don't think there will be few use cases, as digest is a replacement of basic auth as cited before.

@yaazkal
Copy link

yaazkal commented Nov 27, 2019

Let me add that after writing this I've checked the code to see if I can open a PR. Found that golang has no digest auth support in the http module. As there are third party modules that add support for it, I'll sugest to discuss them first before choosing one or maybe do a feature request in golang. What do you think?

Regards !

@danielnelson
Copy link
Contributor Author

@yaazkal Doesn't appear that Go will be adding first party support for digest authentication in the near term. Would you be able to make a list of the libraries that implement support?

@yaazkal
Copy link

yaazkal commented Dec 4, 2019

@danielnelson I'm aware of the existence of:

https://github.com/bobziuchkovski/digest wich is a fork of this
https://github.com/delphinus/go-digest-request
https://github.com/Soontao/goHttpDigestClient

I end up using the first of the list on a project because it was pretty straight forward but I had to change this switch because if the header also has charset it was defaulting to an error.

I also tried with the other libraries but found them confusing and at the end they didn't worked for me (maybe is a lack of knowledge by my side).

My general impression is that there is still work to be done in any of those and I'm not sure if they are maintained as I don't see recent activity (old commits, issues and PRs).

PS if anyone end up searching for a workaraound to use digest in telegraf: For my project I end up using [[inputs.exec]] with a curl command, something like:

[[inputs.exec]]
  commands = [ "curl -X GET -u USER:PASSWORD --digest 'https://URL'" ]

@yaazkal
Copy link

yaazkal commented Dec 4, 2019

My personal opinion is to contribute or request the digest support in golang directly and use the exec input in telegraf

@russorat russorat removed their assignment Jan 19, 2022
@srebhan srebhan self-assigned this Nov 1, 2023
@srebhan
Copy link
Member

srebhan commented Nov 1, 2023

Maintained version of a library: https://github.com/icholy/digest

@srebhan
Copy link
Member

srebhan commented Nov 1, 2023

Is this issue still relevant to anyone here?

@srebhan srebhan added the waiting for response waiting for response from contributor label Nov 1, 2023
@telegraf-tiger
Copy link
Contributor

Hello! I am closing this issue due to inactivity. I hope you were able to resolve your problem, if not please try posting this question in our Community Slack or Community Forums or provide additional details in this issue and reqeust that it be re-opened. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature request Requests for new plugin and for new features to existing plugins waiting for response waiting for response from contributor
Projects
None yet
Development

No branches or pull requests

7 participants