Digest Authentication error with niquests

[drewski3420]

Authentication to a Baikal server with digest auth is failing since 2.1.0. Reverting back to 2.0.1 resolves the issue. Below you can see logs from a successful auth using 2.0.1 and a failure using 2.1.2.

Success:

DEBUG:caldav:url: https://subdomain.domain.com/dav.php/calendars/username/
DEBUG:caldav:self.url: https://subdomain.domain.com/dav.php/calendars/username/
DEBUG:caldav:sending request - method=PROPFIND, url=https://subdomain.domain.com/dav.php/calendars/username/, headers={'User-Agent': 'python-caldav/2.0.1', 'Content-Type': 'text/xml', 'Accept': 'text/xml, text/calendar', 'Depth': '0'}
body:
<?xml version='1.0' encoding='utf-8'?>
<D:propfind xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav"><D:prop><D:current-user-principal/></D:prop></D:propfind>
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): subdomain.domain.com:443
DEBUG:urllib3.connectionpool:https://subdomain.domain.com:443 "PROPFIND /dav.php/calendars/username/ HTTP/2.0" 401 None
DEBUG:caldav:server responded with 401 Unauthorized
DEBUG:caldav:response headers: {'server': 'openresty', 'date': 'Thu, 20 Nov 2025 20:36:30 GMT', 'content-type': 'application/xml; charset=utf-8', 'set-cookie': 'PHPSESSID=XXXXXXXXx; path=/; HttpOnly', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate', 'pragma': 'no-cache', 'x-sabre-version': '4.7.0', 'vary': 'Brief,Prefer', 'dav': '1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, calendar-access, calendar-proxy, calendar-auto-schedule, calendar-availability, resource-sharing, calendarserver-sharing, addressbook', 'www-authenticate': 'Digest realm="BaikalDAV",qop="auth",nonce="691f7bce85f46",opaque="d66d5f0524036afcb61420e358f990ce"', 'strict-transport-security': 'max-age=63072000; preload'}
DEBUG:caldav:response status: 401
DEBUG:caldav:b'<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">\n  <s:sabredav-version>4.7.0</s:sabredav-version>\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>No \'Authorization: Digest\' header found. Either the client didn\'t send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on calendars/username</s:message>\n</d:error>\n'
DEBUG:caldav:b'<?xml version="1.0" encoding="utf-8"?>\n<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">\n  <s:sabredav-version>4.7.0</s:sabredav-version>\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>No \'Authorization: Digest\' header found. Either the client didn\'t send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on calendars/username</s:message>\n</d:error>\n'
DEBUG:caldav:sending request - method=PROPFIND, url=https://subdomain.domain.com/dav.php/calendars/username/, headers={'User-Agent': 'python-caldav/2.0.1', 'Content-Type': 'text/xml', 'Accept': 'text/xml, text/calendar', 'Depth': '0'}
body:
<?xml version='1.0' encoding='utf-8'?>
<D:propfind xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav"><D:prop><D:current-user-principal/></D:prop></D:propfind>
DEBUG:urllib3.connectionpool:https://subdomain.domain.com:443 "PROPFIND /dav.php/calendars/username/ HTTP/2.0" 401 None
DEBUG:urllib3.connectionpool:https://subdomain.domain.com:443 "PROPFIND /dav.php/calendars/username/ HTTP/2.0" 401 None
DEBUG:caldav:server responded with 401 Unauthorized
DEBUG:caldav:response headers: {'server': 'openresty', 'date': 'Thu, 20 Nov 2025 20:36:30 GMT', 'content-type': 'application/xml; charset=utf-8', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate', 'pragma': 'no-cache', 'x-sabre-version': '4.7.0', 'vary': 'Brief,Prefer', 'dav': '1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, calendar-access, calendar-proxy, calendar-auto-schedule, calendar-availability, resource-sharing, calendarserver-sharing, addressbook', 'www-authenticate': 'Digest realm="BaikalDAV",qop="auth",nonce="691f7bce9f629",opaque="d66d5f0524036afcb61420e358f990ce"', 'strict-transport-security': 'max-age=63072000; preload'}
DEBUG:caldav:response status: 401
DEBUG:caldav:b'<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">\n  <s:sabredav-version>4.7.0</s:sabredav-version>\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>Username or password was incorrect. Login was needed for privilege: {DAV:}read on calendars/username</s:message>\n</d:error>\n'
DEBUG:caldav:b'<?xml version="1.0" encoding="utf-8"?>\n<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">\n  <s:sabredav-version>4.7.0</s:sabredav-version>\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>Username or password was incorrect. Login was needed for privilege: {DAV:}read on calendars/username</s:message>\n</d:error>\n'
DEBUG:caldav:sending request - method=PROPFIND, url=https://subdomain.domain.com/dav.php/calendars/username/, headers={'User-Agent': 'python-caldav/2.0.1', 'Content-Type': 'text/xml', 'Accept': 'text/xml, text/calendar', 'Depth': '0'}
body:
<?xml version='1.0' encoding='utf-8'?>
<D:propfind xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav"><D:prop><D:current-user-principal/></D:prop></D:propfind>
DEBUG:urllib3.connectionpool:https://subdomain.domain.com:443 "PROPFIND /dav.php/calendars/username/ HTTP/2.0" 401 None
DEBUG:urllib3.connectionpool:https://subdomain.domain.com:443 "PROPFIND /dav.php/calendars/username/ HTTP/2.0" 207 None
DEBUG:caldav:server responded with 207 Multi-Status
DEBUG:caldav:response headers: {'server': 'openresty', 'date': 'Thu, 20 Nov 2025 20:36:30 GMT', 'content-type': 'application/xml; charset=utf-8', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate', 'pragma': 'no-cache', 'x-sabre-version': '4.7.0', 'vary': 'Brief,Prefer', 'dav': '1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, calendar-access, calendar-proxy, calendar-auto-schedule, calendar-availability, resource-sharing, calendarserver-sharing, addressbook', 'strict-transport-security': 'max-age=63072000; preload'}
DEBUG:caldav:response status: 207
DEBUG:caldav:b'<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:cal="urn:ietf:params:xml:ns:caldav" xmlns:cs="http://calendarserver.org/ns/" xmlns:card="urn:ietf:params:xml:ns:carddav">\n  <d:response>\n    <d:href>/dav.php/calendars/username/</d:href>\n    <d:propstat>\n      <d:prop>\n        <d:current-user-principal>\n          <d:href>/dav.php/principals/username/</d:href>\n        </d:current-user-principal>\n      </d:prop>\n      <d:status>HTTP/1.1 200 OK</d:status>\n    </d:propstat>\n  </d:response>\n</d:multistatus>\n'
DEBUG:caldav:b'<?xml version="1.0"?>\n<d:multistatus xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:cal="urn:ietf:params:xml:ns:caldav" xmlns:cs="http://calendarserver.org/ns/" xmlns:card="urn:ietf:params:xml:ns:carddav"><d:response><d:href>/dav.php/calendars/username/</d:href><d:propstat><d:prop><d:current-user-principal><d:href>/dav.php/principals/username/</d:href></d:current-user-principal></d:prop><d:status>HTTP/1.1 200 OK</d:status></d:propstat></d:response></d:multistatus>\n'

Failure:

DEBUG:urllib3.util.retry:Converted retries value: 0 -> Retry(total=0, connect=None, read=None, redirect=None, status=None)
DEBUG:urllib3.util.retry:Converted retries value: 0 -> Retry(total=0, connect=None, read=None, redirect=None, status=None)
DEBUG:caldav:url: https://subdomain.domain.com/dav.php/calendars/username/
DEBUG:caldav:self.url: https://subdomain.domain.com/dav.php/calendars/username/
DEBUG:caldav:sending request - method=PROPFIND, url=https://subdomain.domain.com/dav.php/calendars/username/, headers={'User-Agent': 'python-caldav/2.1.2', 'Content-Type': 'text/xml', 'Accept': 'text/xml, text/calendar', 'Depth': '0'}
body:
<?xml version='1.0' encoding='utf-8'?>
<D:propfind xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav"><D:prop><D:current-user-principal/></D:prop></D:propfind>
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): subdomain.domain.com:443
DEBUG:urllib3.util.retry:Converted retries value: 0 -> Retry(total=0, connect=None, read=None, redirect=None, status=None)
DEBUG:urllib3.util.retry:Converted retries value: 0 -> Retry(total=0, connect=None, read=None, redirect=None, status=None)
DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): e8.c.lencr.org:80
DEBUG:urllib3.connectionpool:http://e8.c.lencr.org:80 "GET /93.crl HTTP/1.1" 200 57171
DEBUG:caldav:server responded with 401 Unauthorized
DEBUG:caldav:response headers: {'server': 'openresty', 'date': 'Thu, 20 Nov 2025 20:32:43 GMT', 'content-type': 'application/xml; charset=utf-8', 'set-cookie': 'PHPSESSID=XXXXXXXXX; path=/; HttpOnly', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate', 'pragma': 'no-cache', 'x-sabre-version': '4.7.0', 'vary': 'Brief,Prefer', 'dav': '1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, calendar-access, calendar-proxy, calendar-auto-schedule, calendar-availability, resource-sharing, calendarserver-sharing, addressbook', 'www-authenticate': 'Digest realm="BaikalDAV",qop="auth",nonce="691f7aebe4ccc",opaque="d66d5f0524036afcb61420e358f990ce"', 'strict-transport-security': 'max-age=63072000; preload'}
DEBUG:caldav:response status: 401
DEBUG:caldav:b'<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">\n  <s:sabredav-version>4.7.0</s:sabredav-version>\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>No \'Authorization: Digest\' header found. Either the client didn\'t send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on calendars/username</s:message>\n</d:error>\n'
DEBUG:caldav:b'<?xml version="1.0" encoding="utf-8"?>\n<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">\n  <s:sabredav-version>4.7.0</s:sabredav-version>\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>No \'Authorization: Digest\' header found. Either the client didn\'t send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on calendars/username</s:message>\n</d:error>\n'
DEBUG:caldav:sending request - method=PROPFIND, url=https://subdomain.domain.com/dav.php/calendars/username/, headers={'User-Agent': 'python-caldav/2.1.2', 'Content-Type': 'text/xml', 'Accept': 'text/xml, text/calendar', 'Depth': '0'}
body:
<?xml version='1.0' encoding='utf-8'?>
<D:propfind xmlns:D="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav"><D:prop><D:current-user-principal/></D:prop></D:propfind>
DEBUG:caldav:server responded with 401 Unauthorized
DEBUG:caldav:response headers: {'server': 'openresty', 'date': 'Thu, 20 Nov 2025 20:32:43 GMT', 'content-type': 'application/xml; charset=utf-8', 'expires': 'Thu, 19 Nov 1981 08:52:00 GMT', 'cache-control': 'no-store, no-cache, must-revalidate', 'pragma': 'no-cache', 'x-sabre-version': '4.7.0', 'vary': 'Brief,Prefer', 'dav': '1, 3, extended-mkcol, access-control, calendarserver-principal-property-search, calendar-access, calendar-proxy, calendar-auto-schedule, calendar-availability, resource-sharing, calendarserver-sharing, addressbook', 'www-authenticate': 'Digest realm="BaikalDAV",qop="auth",nonce="691f7aebeadab",opaque="d66d5f0524036afcb61420e358f990ce"', 'strict-transport-security': 'max-age=63072000; preload'}
DEBUG:caldav:response status: 401
DEBUG:caldav:b'<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">\n  <s:sabredav-version>4.7.0</s:sabredav-version>\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>No \'Authorization: Digest\' header found. Either the client didn\'t send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on calendars/username</s:message>\n</d:error>\n'
DEBUG:caldav:b'<?xml version="1.0" encoding="utf-8"?>\n<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">\n  <s:sabredav-version>4.7.0</s:sabredav-version>\n  <s:exception>Sabre\\DAV\\Exception\\NotAuthenticated</s:exception>\n  <s:message>No \'Authorization: Digest\' header found. Either the client didn\'t send one, or the server is misconfigured. Login was needed for privilege: {DAV:}read on calendars/username</s:message>\n</d:error>\n'
Traceback (most recent call last):
  File "/home/username/projects/baikal_test/123.py", line 24, in <module>
    principal = client.principal()
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/davclient.py", line 647, in principal
    self._principal = Principal(client=self, *largs, **kwargs)
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/collection.py", line 235, in __init__
    cup = self.get_property(dav.CurrentUserPrincipal())
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/davobject.py", line 259, in get_property
    foo = self.get_properties([prop], **passthrough)
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/davobject.py", line 290, in get_properties
    response = self._query_properties(props, depth)
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/davobject.py", line 191, in _query_properties
    return self._query(root, depth)
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/davobject.py", line 219, in _query
    ret = getattr(self.client, query_method)(url, body, depth)
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/davclient.py", line 711, in propfind
    return self.request(
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/davclient.py", line 987, in request
    return self.request(str(url_obj), method, body, headers)
  File "/home/username/projects/baikal_test/.venv/lib/python3.10/site-packages/caldav/davclient.py", line 1029, in request
    raise error.AuthorizationError(url=str(url_obj), reason=reason)
caldav.lib.error.AuthorizationError: AuthorizationError at 'https://subdomain.domain.com/dav.php/calendars/username/', reason Unauthorized

[tobixen]

Are you running from a virtual environment? Could it be due to niquests vs requests library? How does 2.0.1 work out for you? But that seems weird, the non-failing logs mentions HTTP/2 ... hmm ....

I will look more into the logs, but I don't know if I will have time for it today.

[drewski3420]

Yeah, I'm running in a venv with only this project (plus whatever dependencies pip added) installed.

Pinning to 2.0.1 works fine, so that's the approach I've taken.

[tobixen]

Sorry, I meant 2.1.0, not 2.0.1 :-)

In pyproject.toml, there is the dependency on the niquests package. Could you please try to replace it with requests package? That's basically the difference between 2.1.0 and 2.1.2. Except, I think I may have removed niquests but forgotten to add requests in 2.1.0.

Except for that, I wonder if commit 4978418 may be relevant.

[tobixen]

It would be very useful if it could be possible to give me access to a test account on your calendar server, so I could investigate myself what changeset is breaking.

[drewski3420]

2.1.0 also fails, have to go back to 2.0.1 to get it to work out of the box.

Uninstalling niquests and simply using requests with 2.1.2 resolves the issue.

Unfortunately the calendar server is only accessible internally so I can't share for testing. However it is a bog-standard deployment of ckulka/baikal:nginx

[tobixen]

I was specifically working on baikal support wrg #553 before releasing 2.1.2. However, I guess the authentication is normally not done by baikal itself but by nginx. EDIT: not true, and it's clearly visible from the logs that the error is thrown by Baikal.

It's useful to know that requests (and HTTP/1.1) works while niquests (and HTTP/2) doesn't work. There is some ongoing worki in pull request #565 to switch from niquests to httpx. It would be useful if you have the time to check if that branch would work towards your server.

I'm also working on a caldav server tester project - https://github.com/python-caldav/caldav-server-tester - it's not quite production-ready yet, but if you can get it to work it would be nice to see the json output from it. And if you can't get it to work, it would be nice to get some github issues on it :-)

[tobixen]

Throwing up a docker container with the server is probably quite simple ... problem is just that I have a long list of "probably quite simple" things to do and too little time for it ... my plan was to release 2.1 before the summer and 2.2 during early autumn ... I can't believe November is almost over.

[tobixen]

I got some help from the AI to set up a framework for testing the baikal docker container in #573.

[tobixen]

So by now every pull request and every commit to master, as well as local work on my laptop is tested towards ckulka/baikal:nginx and I haven't been able to reproduce this error.

[tobixen]

Also, version 2.2.1 and 2.2.2 was released yesterday. I expect version 2.2.1 (requests) will work for you while 2.2.2 (niquests) will not work. Please give it a spin if you have time.

[tobixen]

I asked the AI on "what github issues should be prioritized". I'm not sure if the answers are sane, but it was probably right to flag this one at the top of the list. I would be very pleased if you could check v2.2.1 vs v2.2.2. In the meanwhile I'll try to see if I can figure out anything from the logs and think a bit on how it can be debugged further.

[tobixen]

I asked the AI (Claude) about what it thinks about this issue. It seems to agree with me that testing v2.2.1 and v2.2.2 have the highest priority here. It suggests HTTP/2 to be the issue, and suggests testing the niquests library with HTTP/2-support disabled. Here is the recommended approach EDIT: this is the approach recommended by Claude. If you can change the davclient.py source code, then the session parameters can be set at line 605. Possibly, playing with the session parameters would help finding a workaround here.

import caldav
from caldav import DAVClient

# Monkey-patch to disable HTTP/2
import niquests
original_session = niquests.Session

def patched_session(*args, **kwargs):
    kwargs['disable_http2'] = True  # Force HTTP/1.1
    kwargs.pop('multiplexed', None)  # Remove multiplexed
    return original_session(*args, **kwargs)

niquests.Session = patched_session

# Now test connection
client = DAVClient(url="...", username="...", password="...")
principal = client.principal()

That's the top priorities.

Next it suggests to capture more logging:

import logging
logging.basicConfig(level=logging.DEBUG)
logging.getLogger('caldav').setLevel(logging.DEBUG)
logging.getLogger('urllib3').setLevel(logging.DEBUG)
logging.getLogger('niquests').setLevel(logging.DEBUG)

And for me it suggests to reconfigure my docker image. I'll have a look into that.

[tobixen]

The AI wrongly suggested that the baikal docker test container was configured to use Basic auth rather than Digest auth, and that I should test Digest auth.

I've now tested both Digest, Basic and I'm also going to check the "Apache" auth option. Both basic and digest passes for me. Digest was tested with both niquests and requests. Setting the auth to apache causes breakages, both with niquests and apache. The "apache" auth method is not supported by the library. I should look into that.

EDIT: in the context of baikal, the "Apache" auth method means "let the apache server authenticate the user". This obviously doesn't work without modifying the web server configuration, and as the docker image is set up with nginx it probably won't work at all.