Digest authentication in ASP.NET Core / Kestrel

Question

Is it possible to use digest authentication in ASP.NET Core / Kestrel? If it is, how do I enable and use it?

I know that basic authentication is not and will not be implemented because it's considered insecure and slow, but I can't find anything at all about digest.

I don't want to use IIS' authentication because I don't want to be tied to Windows accounts, I want use a custom credentials validation logic.

Answer 1

If someone is looking for the answer. This code is working for me:

using System.ServiceModel;

var binding = new BasicHttpBinding();
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Digest;
binding.TextEncoding = Encoding.UTF8;
binding.TransferMode = TransferMode.Buffered;
binding.AllowCookies = false;
binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;

var endpoint = new EndpointAddress(new Uri("http://website.domain/WebService.svc"));
var client = new MessageServiceClient(binding, endpoint);
client.ClientCredentials.HttpDigest.ClientCredential.UserName = "username";
client.ClientCredentials.HttpDigest.ClientCredential.Password = "password";

var response = client.CallMethod();

Answer 2

The only implementation of digest auth currently available with Core is the one in IIS that's tied to integrated windows auth.

Answer 3

Few thing about Kestrel, WebListener servers and authentication

• Kestrel does not directly support Windows Auth
• you must use WebListener or IIS + Kestrel to achieve that
• you just need to add forwardWindowsAuthToken="true" in your web.config file - https://github.com/aspnet/IISIntegration/blob/dev/samples/IISSample/web.config#L13
• WebListener exposes AuthenticationManager - that can be used to configure the server authentication

And example how you can allow anonymous users using WebListener:

builder.UseWebListener(options =>
{    
     options.Listener.AuthenticationManager.AuthenticationSchemes = AuthenticationSchemes.AllowAnonymous;
});