I've done a search of the mailing list and not found anything informative, but possibly missed something, this is my first comment on this mailing list.
From RFC 2617 - RFC 2617: HTTP Authentication: Basic and Digest Access Authentication - which specifies Digest Authentication, the section discussing the "digest-uri' element states:
"digest-uri The URI from Request-URI of the Request-Line; duplicated here because proxies are allowed to change the Request-Line in transit."
and the detailed discussion on calculation of the digest value specifically says:
"where "digest-uri-value" is the value of the "uri" directive on the Authorization header in the request."
That is, the "digest-uri" provided in the Authorization header is what should be used in calculating the digest for authentication purposes, not the request URI - because that string may change between the client and the ultimate server responding to the request.
However, it looks like this has been implemented incorrectly in Rails ActionController::HttpAuthentication for some time - for example from actionpack-3.0.7/lib/action_controller/metal/http_authentication.rb line 188:
uri = credentials[:uri][0,1] == '/' ? request.fullpath : request.url
This should be simply:
uri = credentials[:uri]
We ran into this bug when switching from a java-Spring-Acegi authentication handler to Rails HttpAuthentication. It had always worked perfectly with Acegi. Rails digest authentication worked fine when connecting directly to the server it was installed on, but when connecting to a front-end server that rewrites the URL's, Rails digest authentication always failed. With the above patch, digest authentication works correctly again.
If there's a need to verify that the digest-uri matches in some way the request uri the server should do that separately from the actual digest authentication piece, which should just match the specifications of RFC 2617. Agreed?