Using HTTP DIGEST authentication with WordPress’ wp_remote_get()

HTTP BASIC authentication (Wikipedia) is a form of client / server authentication where the username and password are base64 encoded in the request header. However, because these credentials can be easily decoded, BASIC authentication requires SSL for the request to be secured.

HTTP DIGEST authentication (Wikipedia) permits more secure communication between the client and server over insecure HTTP. It’s also a fair bit more challenging to implement, for a couple of reasons:

  1. Every API call actually requires two HTTP requests. Although the first request will fail with 401 Unauthorized, it returns a www-authenticate response header with values critical for signing the second request.
  2. Sending the second request requires creating a signature with several variables where the order matters. Because of the number of variables (pun intended), debugging authentication failures can be very frustrating.

To make HTTP DIGEST authentication requests easier in WordPress, here’s a function you can use:


Ryan Hellyer July 4, 2018 Reply

Unfortunately this throws an error because $request is not declared. I’m trying to work out a solution to this.

Ryan Hellyer July 4, 2018 Reply

For anyone wanting to just implement this via https, just checkout the tutorial by John Blackbourne. It’s a lot simpler when you don’t need to handle the security side of things yourself 🙂

Mathias Methner August 19, 2021 Reply

Hi Ryan, this is a late reply, but your comment is related to HTTP Basic Auth. In this case you are right, it is a lot simplier. But if you need to deal with HTTP Digest Auth as stated in this article, you need to create the auth header by yourself,

campusboy December 20, 2018 Reply

Hi! And where is the $request variable defined on the 23rd row?

Daniel Bachhuber December 20, 2018 Reply

Hm, great question. I think that’s whatever query arguments you’re passing in the initial request. This code snippet was prepared from some existing production code, but I don’t recall the exact details at this point.

Mathias Methner August 19, 2021 Reply

Hi Daniel, your article still solve a problem in my wordpress plugin. Thanks for sharing.
Your regexp #(([\w]+)=[“]?([^\s”]+))# is not able to deal with auth headers with spaces in the header fields. An example header is ‘Digest realm=”myown authentication”,qop=”auth”,nonce=”61…f9a552″,opaque=”a707ae2edc22….a9af0fd335″‘. The algorithm will fetch realm=”myown”, which is wrong. Based on your script I commented on an update on github:

Leave a Reply