Hi Tim, Your request should be successful if you omit the send-authorization attribute:
“If send-authorization is true (default value is false) and the authentication method supports generating the header Authorization without challenge, the request contains this header. The default value is to send a non-authenticated request, and if the response is an authentication challenge, then only send the credentials in a second message.” [1] If you use Basic authentication, you can reduce the communication to a single request by sending the authorization with the first request. With Digest authentication, there will always be two requests. With the (still to be finalized) HTTP Client module 2.0, send-authorization will disappear, and it will be up to the implementation to decide how many requests will be sent [2]. Hope this helps, Christian [1] http://expath.org/spec/http-client#d2e430 [2] https://expath.github.io/expath-cg/specs/http-client-2/ On Wed, Feb 2, 2022 at 6:19 PM Tim Thompson <timat...@gmail.com> wrote: > > Thanks, Andy! That's very handy. So, when I test against httpbin, the same > thing happens. > > curl request: > curl --digest --user user:pw -X GET > 'http://httpbin.org/digest-auth/auth/user/pw' > > response: > { > "authenticated": true, > "user": "user" > } > > BaseX request: > let $endpoint := "http://httpbin.org/digest-auth/auth/user/pw" > > let $response := ( > http:send-request( > <http:request > method="GET" > href="{$endpoint}" > username="user" > password="pw" > auth-method="Digest" > send-authorization="true"> > <http:header > name="Content-Type" > value="{$type}; charset=utf-8"/> > </http:request> > ) > ) > return > $response > > response: > <http:response xmlns:http="http://expath.org/ns/http-client" status="401" > message="UNAUTHORIZED"> > <http:header name="Server" value="gunicorn/19.9.0"/> > <http:header name="Access-Control-Allow-Origin" value="*"/> > <http:header name="Access-Control-Allow-Credentials" value="true"/> > <http:header name="WWW-Authenticate" value="Digest > realm="m...@kennethreitz.com", > nonce="36d59385e96e1689595f4f14fa2921ca", qop="auth", > opaque="a21df3287b5cb9cbf8b6a68b2c15fa1d", algorithm=MD5, > stale=FALSE"/> > <http:header name="Connection" value="keep-alive"/> > <http:header name="Set-Cookie" value="fake=fake_value; Path=/"/> > <http:header name="Set-Cookie" value="stale_after=never; Path=/"/> > <http:header name="Content-Length" value="0"/> > <http:header name="Date" value="Wed, 02 Feb 2022 17:14:13 GMT"/> > <http:header name="Content-Type" value="text/html; charset=utf-8"/> > </http:response> > > > -- > Tim A. Thompson > Metadata Librarian > Yale University Library > > > On Wed, Feb 2, 2022 at 12:06 PM Andy Bunce <bunce.a...@gmail.com> wrote: >> >> I find httpbin.org a useful resource to test this kind of thing [1] and [2] >> /Andy >> >> [1] http://httpbin.org/#/Auth/get_basic_auth__user___passwd_ >> [2] http://httpbin.org/basic-auth/user1/mypass >> >> On Wed, 2 Feb 2022 at 16:58, Christian Grün <christian.gr...@gmail.com> >> wrote: >>> >>> Good to hear; so at least Digest is detected at this stage ;) >>> >>> >>> Tim Thompson <timat...@gmail.com> schrieb am Mi., 2. Feb. 2022, 17:54: >>>> >>>> With "digest" I get: "[experr:HC0004] Invalid authentication method: >>>> digest." >>>> >>>> -- >>>> Tim A. Thompson >>>> Metadata Librarian >>>> Yale University Library >>>> >>>> On Wed, Feb 2, 2022 at 11:52 AM Christian Grün <christian.gr...@gmail.com> >>>> wrote: >>>>> >>>>> Yes, it should still be supported. I assume it doesn't make a difference >>>>> if you use "Digest" or "digest"? >>>>> >>>>> >>>>> >>>>> Tim Thompson <timat...@gmail.com> schrieb am Mi., 2. Feb. 2022, 17:48: >>>>>> >>>>>> Thanks, Christian. Right, that wasn't a working example. The server I'm >>>>>> querying is behind a firewall, so I can't really reproduce the issue >>>>>> unfortunately. >>>>>> >>>>>> The BaseX documentation states that the HTTP client does support Digest >>>>>> authentication. However, I did some poking around using Wireshark and >>>>>> limited knowledge of network traffic. When I run the request in curl, >>>>>> the expected protocol is played out, and I see the evidence in Wireshark: >>>>>> >>>>>> (1) The server responds with "401 Unauthorized" and provides the nonce >>>>>> value. >>>>>> (2) The client (curl) then does its business (supplies the username and >>>>>> password, resends the request, etc.) >>>>>> >>>>>> But when I submit the request via BaseX, it never gets past step (1). It >>>>>> never seems to send the username and password at all. Is Digest >>>>>> authentication still supported? >>>>>> >>>>>> Best, >>>>>> Tim >>>>>> >>>>>> >>>>>> -- >>>>>> Tim A. Thompson >>>>>> Metadata Librarian >>>>>> Yale University Library >>>>>> >>>>>> >>>>>> On Wed, Feb 2, 2022 at 10:13 AM Christian Grün >>>>>> <christian.gr...@gmail.com> wrote: >>>>>>> >>>>>>> Hi Tim, >>>>>>> >>>>>>> Difficult to tell; both the curl and the XQuery variants give me 404. >>>>>>> Do you think you could provide us with an example that works out of >>>>>>> the box? >>>>>>> >>>>>>> Best, >>>>>>> Christian >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Feb 2, 2022 at 12:54 AM Tim Thompson <timat...@gmail.com> wrote: >>>>>>> > >>>>>>> > Hello, >>>>>>> > >>>>>>> > I'm trying to post a SPARQL query to an endpoint using Digest >>>>>>> > authentication with the HTTP client. >>>>>>> > >>>>>>> > The query works fine using curl: >>>>>>> > >>>>>>> > curl --digest --user user:pass -X POST -d@'test.rq' \ >>>>>>> > -H "Content-type: application/sparql-query" \ >>>>>>> > 'http://example.org/sparql' >>>>>>> > >>>>>>> > But the equivalent request in BaseX fails with 401 Unauthorized: >>>>>>> > >>>>>>> > let $endpoint := "http://example.org/sparql" >>>>>>> > let $user := "user" >>>>>>> > let $pass := "pass" >>>>>>> > let $type := "application/sparql-query" >>>>>>> > >>>>>>> > let $response := ( >>>>>>> > http:send-request( >>>>>>> > <http:request >>>>>>> > method="POST" >>>>>>> > href="{$endpoint}" >>>>>>> > username="{$user}" >>>>>>> > password="{$pass}" >>>>>>> > auth-method="Digest" >>>>>>> > send-authorization="true"> >>>>>>> > <http:header >>>>>>> > name="Content-Type" >>>>>>> > value="{$type}; charset=utf-8"/> >>>>>>> > <http:body >>>>>>> > media-type="{$type}">{ >>>>>>> > ``[ >>>>>>> > select * where {?s ?p ?o} limit 1 >>>>>>> > ]`` >>>>>>> > }</http:body> >>>>>>> > </http:request> >>>>>>> > ) >>>>>>> > ) >>>>>>> > return >>>>>>> > $response >>>>>>> > >>>>>>> > Any ideas about what might be causing the BaseX HTTP client to be >>>>>>> > denied here? >>>>>>> > >>>>>>> > Thanks in advance, >>>>>>> > Tim >>>>>>> > >>>>>>> > >>>>>>> > -- >>>>>>> > Tim A. Thompson >>>>>>> > Metadata Librarian >>>>>>> > Yale University Library >>>>>>> >