Add support for digest authentication with an HTTP proxy

[spectrumjade]

Currently, requests only supports HTTP basic authentication to a proxy. It would be very useful to support digest authentication with a proxy as well.

Additionally, there should be some way to signal that requests should not attempt to pass proxy credentials in plaintext before receiving the digest nonce from the proxy.

[Lukasa]

@justintime32 Thanks for the feature request!

It should be entirely possible to write a short authentication handler that does exactly what you need: a quick Google showed this as the top result. Because of the ease of adding such a thing yourself, and because it's relatively infrequently used, we don't believe there's much advantage in bringing Proxy Digest Auth into the core library.

[spectrumjade]

Hi @Lukasa, I actually started by writing an auth handler. The main issue I ran into was that it only works for non-SSL requests. SSL requests through a proxy are made through a CONNECT tunnel, and the CONNECT request must be authenticated. The auth handler appears to be unable to hook into the proxy tunnel creation step, and therefore SSL requests will always fail.

Are there other ways to add this authentication without modifying the core? Maybe some more hooks around the proxy tunnel creation?

[Lukasa]

Unfortunately, what you need is not possible with httplib. To do the CONNECT tunnel in httplib, you end up in the _tunnel method, which has the following code:

    def _tunnel(self):
        connect_str = "CONNECT %s:%d HTTP/1.0\r\n" % (self._tunnel_host,
            self._tunnel_port)
        connect_bytes = connect_str.encode("ascii")
        self.send(connect_bytes)
        for header, value in self._tunnel_headers.items():
            header_str = "%s: %s\r\n" % (header, value)
            header_bytes = header_str.encode("latin-1")
            self.send(header_bytes)
        self.send(b'\r\n')

        response = self.response_class(self.sock, method=self._method)
        (version, code, message) = response._read_status()

        if code != 200:
            self.close()
            raise OSError("Tunnel connection failed: %d %s" % (code,
                                                               message.strip()))

As you can see, there is no way to hook into a 407 response here. We can only do this by overriding the way the HTTP connection functions, which is something we do in urllib3: I recommend opening a feature request there.