Symfony2 + FOSUserBundle: http_basic authentication works, http_digest fails

Question

I'm configuring a Symfony2 application using the FOSUserBundle to use http_digest authentication. This is with Symfony 2.1.0-BETA2.

In security.yml, I am simply switching out http_basic for http_digest and adding the required key property. All else remains the same.

Relevant configuration that works:

firewalls:
    main:         
        pattern: ^/
        anonymous: ~
        form_login: false            
        provider: fos_user_bundle
        http_basic:
            realm: "Example Realm"

Relevant configuration that does not work:

firewalls:
    main:         
        pattern: ^/
        anonymous: ~
        form_login: false            
        provider: fos_user_bundle
        http_digest:
            realm: "Example Realm"
            key: "%secret%"

As you can see, the only difference is switching out http_basic for http_digest. Changing the value of the key property appears to make no difference.

When using an in_memory provider, http_digest works just fine. This matter is only present when using the fos_user_bundle provider.

By working, I mean that with when using http_basic, the valid user credentials are accepted. When using http_digest the same valid user details are not accepted and the browser's default http authentication prompt is re-displayed.

Between security configuration changes, I clear both the dev and prod caches, empty the browser cache and close the browser.

Is there something critical I'm missing from the configuration?

Update

I've logged a successful http_basic attempt and an unsuccessful http_digest attempt and diffed the logs.

Both logs are identical up to and including where Doctrine logs the SQL query used for authentication.

Following the authentication query in the http_digest log are the lines:

security.DEBUG: Expected response: '3460e5c31b09d4e8872650838a0c0f1a' but received: '5debe5d0028f65ae292ffdea2616ac19'; is AuthenticationDao returning clear text passwords? [] []
security.INFO: exception 'Symfony\Component\Security\Core\Exception\BadCredentialsException' with message 'Incorrect response' in /home/jon/www/local.app.simplytestable.com/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php:105

Passwords, using the FOSUserBundle, are salted and hashed.

I'd like to ascertain whether this matter arises due a misconfiguration on my part or whether it's a bug in the FOSUserBundle.

Answer 1

HTTP digest authentication works, in short, by comparing hashes calculated from values including the username, realm, password and various nonse and replay-avoidance values.

The plaintext password is required on both the client and server side to generate the same hashes.

FOSUserBundle salts and hashes passwords.

The server-side hash generated within the Symfony\Component\Security\Http\Firewall\DigestAuthenticationListener class will be passed a hashed not plaintext password and so can never generate the correct hash for comparison.