Digest Authentification

[tsilaRaf]

Good morning,

We need information about taking into account with APIMAN Authentication Digest.

Context: We have data providers who expose their data in Digest Authent (with the Tomcat servlet engine).
However this doesn't work.

---

Preamble :

Please note (because it is essential to understand the analysis): the client values “digestURI” for this calculation thanks to the endpoint. In other words everything that comes after the server:port/DNS.
For example :

• Via load balancer: endpoint= https://serveur/reponse-ws-webapp/services/resource of WS
  so DigestUri = /response-ws-webapp/services/WS resource
• Via APIMAN: endpoint =https://portail-apiman/organization/api/version api/reponse-ws-webapp/services/resource of WS
  so digestURI= /organization/api/version api/response-ws-webapp/services/WS resource
  • When the server receives the second call, it repeats the calculation that the client did and if its result for “response” is the same as the one that the client sent it,
  it validates the authentication, otherwise returns a 401 error

Let's keep this preamble in mind to move on to the analysis.
Let us also specify that 2 settings are involved in the overall behavior:
• rewriting the uri by APIMAN: rewrite_URI
• validation of the uri by DIGEST: validateuri

---

What we observed:
The reason for the KO is the rewriting of the URI by APIMAN. As stated in the preamble, the client takes the URI of the endpoint and therefore,
in the APIMAN context, uri =/organization/api/api version/response-ws-webapp/services/WS resource for client-side calculation
On the other hand, as the server receives in the uri, following the rewriting, the value "/reponse-ws-webapp/services/resource of WS",
the response calculation necessarily gives a different result.
Nothing to do with the valuation of the DIGEST validator parameter
Rewriting the Uri is an invalid solution, because the client and server must use the same values to calculate the header responses
and it is not possible to influence how Digest, on the client side, extracts this value from the endpoint.
The APIMAN endpoint would have to be "https://portail-apiman/organization/api/version api/reponse-ws-webapp/services/ressource du WS" which is not possible because APIMAN must be able to differentiate between environments.

This also implies having to set the validator to false in DIGEST, which could lead to other problems.

---

Can you please enlighten us on this subject and possibly give us some feedback?

THANKS,
Sincerely,

[msavy]

Given the complexity of this issue, it is a query that falls within the realms of commercial support. Are you one of my customers? If so, please do reach out directly to me and I'll be happy to start a discussion! My email address is [email protected].