Is it possible to use digest authentication in ASP.NET Core / Kestrel? If it is, how do I enable and use it?

I know that basic authentication is not and will not be implemented because it's considered insecure and slow, but I can't find anything at all about digest.

I don't want to use IIS' authentication because I don't want to be tied to Windows accounts, I want use a custom credentials validation logic.

The only implementation of digest auth currently available with Core is the one in IIS that's tied to integrated windows auth.

If someone is looking for the answer. This code is working for me:

using System.ServiceModel;

var binding = new BasicHttpBinding();
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Digest;
binding.TextEncoding = Encoding.UTF8;
binding.TransferMode = TransferMode.Buffered;
binding.AllowCookies = false;
binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;

var endpoint = new EndpointAddress(new Uri("http://website.domain/WebService.svc"));
var client = new MessageServiceClient(binding, endpoint);
client.ClientCredentials.HttpDigest.ClientCredential.UserName = "username";
client.ClientCredentials.HttpDigest.ClientCredential.Password = "password";

var response = client.CallMethod();

Few thing about Kestrel, WebListener servers and authentication

• Kestrel does not directly support Windows Auth
• you must use WebListener or IIS + Kestrel to achieve that
• you just need to add forwardWindowsAuthToken="true" in your web.config file - https://github.com/aspnet/IISIntegration/blob/dev/samples/IISSample/web.config#L13
• WebListener exposes AuthenticationManager - that can be used to configure the server authentication

And example how you can allow anonymous users using WebListener:

builder.UseWebListener(options =>
{    
     options.Listener.AuthenticationManager.AuthenticationSchemes = AuthenticationSchemes.AllowAnonymous;
});