Recent

Author Topic: IdHTTPServer and digest authentication  (Read 1279 times)

mrdebug

  • Full Member
  • ***
  • Posts: 160
IdHTTPServer and digest authentication
« on: March 06, 2024, 06:22:13 pm »
Hi, I need to implement server side the digest authentication. Can someone post an example on how to implement the component IdHTTPServer, server side? Many thanks

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1455
    • Lebeau Software
Re: IdHTTPServer and digest authentication
« Reply #1 on: March 09, 2024, 10:01:39 pm »
At this time, TIdHTTPServer does not natively implement any authentications other than BASIC.  If you want to use a different authentication, you have to implement it yourself, by parsing the client's authentication data in the OnParseAuthentication event, and validating the client's authentication data and populating TIdResponseInfo with any necessary server authentication data in the OnCommand... events.

Code: Pascal  [Select][+][-]
  1. procedure TMyForm.IdHTTPServerParseAuthentication(AContext: TIdContext;
  2.   const AAuthType, AAuthData: String; var VUsername, VPassword: String;
  3.   var VHandled: Boolean);
  4. begin
  5.   if TextIsSame(AAuthType, 'Digest') then
  6.   begin
  7.     // parse AAuthData, populate VUsername and VPassword as needed...
  8.     VHandled := True;
  9.   end;
  10. end;
  11.  
  12. procedure TMyForm.IdHTTPServerCommandGet(AContext: TIdContext;
  13.     ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo);
  14. begin
  15.   ...
  16.   if ARequestInfo.AuthExists then
  17.   begin
  18.     // use ARequestInfo.AuthType, ARequestInfo.AuthUsername,
  19.     // and ARequestInfo.AuthPassword as needed...
  20.   end;
  21.   if Digest Authentication is needed then
  22.   begin
  23.     AResponseInfo.ResponseNo := 401;
  24.     AResponseInfo.WWWAuthenticate.Add('Digest ...');
  25.     // or:
  26.     // AResponseInfo.CustomHeaders.Values['WWW-Authenticate'] := 'Digest ...';
  27.     Exit;
  28.   end;
  29.   ...
  30. end;
« Last Edit: March 09, 2024, 10:22:30 pm by Remy Lebeau »
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

mrdebug

  • Full Member
  • ***
  • Posts: 160
Re: IdHTTPServer and digest authentication
« Reply #2 on: March 10, 2024, 08:57:29 am »
Many thanks for your reply.
Now the client sends this header to server:

Authorization: Digest username="Admin", realm="", nonce="", algorithm="MD5", uri="/Path", response="dc9857e3e15a18babf11b71edbd68359"

I think I have to built a text with user id, password and a digest text in order to obtain the same md5 algorithm.
How can I build it? Or how can I validate this header?

Remy Lebeau

  • Hero Member
  • *****
  • Posts: 1455
    • Lebeau Software
Re: IdHTTPServer and digest authentication
« Reply #3 on: March 11, 2024, 11:46:13 pm »
Now the client sends this header to server:

Authorization: Digest username="Admin", realm="", nonce="", algorithm="MD5", uri="/Path", response="dc9857e3e15a18babf11b71edbd68359"

All that data is available in the AAuthData parameter of the OnParseAuthentication event.

I think I have to built a text with user id, password and a digest text in order to obtain the same md5 algorithm.
How can I build it? Or how can I validate this header?

You have to parse and validate it yourself, following the rules of RFC 7616.  Indy does not provide a server-side framework for parsing authentication (only client-side - see the TIdDigestAuthentication class used by the TIdHTTP client).
Remy Lebeau
Lebeau Software - Owner, Developer
Internet Direct (Indy) - Admin, Developer (Support forum)

 

TinyPortal © 2005-2018