DigestAuthorizationHeader doesn't use comma separator for Authorization header

[TheAsteroid]

The DigestAuthorizationHeader uses a space as credential separator for both building and parsing, while the RFC examples use a comma followed by a space: https://httpwg.org/specs/rfc7616.html#rfc.section.3.9.1

I believe the following changes should be made:

• DigestAuthorizationHeader.AppendField should use $", {fn}=\"{fv}\"" (taking into account that the first field shouldn't have the comma prefixed).
• DigestAuthorizationHeader.Create should set the CredentialsDelimiter in the AuthorizationHeader options to ", " instead of " ".

I can create a PR, but it would be a breaking change, unless it's made backwards compatible with the space-only delimiter.

[gimlichael]

Thanks - I will have a look.

[gimlichael]

@TheAsteroid I have fixed the issues you have highlighted - and also improved further upon reading through the specs.
It should be captured in here: #116.

Please have view on the changes and do provide much welcome feedback for the changes.

In regards to compatibility; since the code is backward compatible - and this is a bugfix to be compliant to the standard - I believe its okay to be part of the v9.0.4 release.

As I interpret the compatibility definitions from Microsoft, I believe this is an innocuous behavioral change.

[gimlichael]

Before

WWW-Authenticate:
Digest realm="AuthenticationServer", qop="auth, auth-int", nonce="MjAyNS0wNC0wOSAyMDowMzozOVo6NDk1ZjMwYzA4NTZiY2UwNzhmNTZhYmI2MmZkNmJiNGEzYjU1ZDQ1ZTMzN2Q2YTg2YzkxNjE0MWEyZGJjYjhkMA==", opaque="cda611045066275271efb735b012392a", stale="false", algorithm="SHA-256"

Authorization:
Digest username="Agent" realm="AuthenticationServer" nonce="MjAyNS0wNC0wOSAyMDowMzozOVo6NDk1ZjMwYzA4NTZiY2UwNzhmNTZhYmI2MmZkNmJiNGEzYjU1ZDQ1ZTMzN2Q2YTg2YzkxNjE0MWEyZGJjYjhkMA==" uri="/" qop="auth" nc="00000001" cnonce="j4soFKqZmKXc8spyEyPFtj3ftfsNH6FW" response="54f59dd8298cd0e75db23019fa2680a7835edc98ea7c4a820c77c774a1fd41aa" opaque="cda611045066275271efb735b012392a" stale="false" algorithm="SHA-256"

After

WWW-Authenticate:
Digest realm="AuthenticationServer", qop="auth, auth-int", nonce="MjAyNS0wNC0wOSAyMDo0ODo1M1o6ODgyMTU5MjIxMmE2Y2FiZGQzNDgxMGEwNzllNDBkMWVhMzc0ODJkNDg3ODUzNDc5NjUwYzk4MTc1YTk2MTdhOA==", opaque="47795f5dedeac6a416640f2f5229c86c", stale=false, algorithm=SHA-256

Authorization:
Digest username="Agent", realm="AuthenticationServer", nonce="MjAyNS0wNC0wOSAyMDo0ODo1M1o6ODgyMTU5MjIxMmE2Y2FiZGQzNDgxMGEwNzllNDBkMWVhMzc0ODJkNDg3ODUzNDc5NjUwYzk4MTc1YTk2MTdhOA==", uri="/", qop=auth-int, nc=00000001, cnonce="aoAXqutImMaO9jIZGMwFKOHr7RVxcrXi", response="049906c1e0c57abe82659059a1d293b19e38b3b9390b51e5a1fff3501c07b35d", opaque="47795f5dedeac6a416640f2f5229c86c", algorithm=SHA-256

[TheAsteroid]

Thanks a lot for the quick turnaround, Michael! The code is looking good with regards to the fix.

Strictly speaking the code isn't backwards compatible, in case someone (incorrectly) implemented a client using a space-only delimiter for an API using this middleware. This client would fail when updating the API with this patch. But you are right that this is a fix to comply with the standard, so I am fine to make this a patch.

[gimlichael]

I agree with your assessment and will add-in a callout in the CHANGELOG.md (in all fairness, I deem the risk to be low).
Thank you for being vigilant.

Expected release sometime tomorrow (CET).