/auth

The authentication realm as returned in a 401 response.

The username to authenticate with.

The server nonce as returned in a 401 response. Server nonces have a lifetime of about 1 minute. This means a client has to be able to complete the digest login within a minute of receiving a 401 response. If it fails to do so, the server would reject an authentication request, even though the credentials may have been valid. If this were to happen, the client would simply have to redo the digest login with the new nonce. It is therefore advisable for the client to (temporarily) save the password the user entered, so that if the 1 minute lifetime were to expire, the client could reissue the request without having to prompt the user for credentials again.

A client-selected nonce. This should be generated with a cryptographically strong random number generator.

The purpose of the client-nonce is to prevent chosen plain-text attacks by a malicious server (or intermediary). Without the client nonce, a malicious server could try to guess the password by sending specially crafted nonce values. The client nonce prevents such attacks as long as the client uses new and cryptographically strong random value on each login attempt.