The Fix
Adds preemptive authentication support to DigestAuthMiddleware, allowing it to reuse authentication credentials for subsequent requests, improving efficiency and matching browser behavior.
Based on closed aio-libs/aiohttp issue #11128 · PR/commit linked
Production note: Most teams hit this during upgrades or environment changes. Roll out with a canary and smoke critical endpoints (health, OpenAPI/docs) before 100%.
@@ -0,0 +1,9 @@
@@ -0,0 +1,9 @@
+Added preemptive digest authentication to :class:`~aiohttp.DigestAuthMiddleware` -- by :user:`bdraco`.
+
+The middleware now reuses authentication credentials for subsequent requests to the same
Option A — Apply the official fix\nAdds preemptive authentication support to DigestAuthMiddleware, allowing it to reuse authentication credentials for subsequent requests, improving efficiency and matching browser behavior.\nWhen NOT to use: Do not use this fix if you require strict adherence to non-preemptive authentication.\n\n
Why This Fix Works in Production
- Trigger: ClientDigestMiddleware doesn't work like browsers
- Mechanism: DigestAuthMiddleware did not implement preemptive authentication as specified in RFC 7616
- If left unfixed, the same config can fail only in production (env differences), causing startup failures or partial feature outages.
Why This Breaks in Prod
- DigestAuthMiddleware did not implement preemptive authentication as specified in RFC 7616
- Production symptom (often without a traceback): ClientDigestMiddleware doesn't work like browsers
Proof / Evidence
- GitHub issue: #11128
- Fix PR: https://github.com/aio-libs/aiohttp/pull/11129
- Reproduced locally: No (not executed)
- Last verified: 2026-02-09
- Confidence: 0.80
- Did this fix it?: Yes (upstream fix exists)
- Own content ratio: 0.81
Discussion
High-signal excerpts from the issue thread (symptoms, repros, edge-cases).
“### Describe the bug Once a browser has a challange it sends the authenticate header on subsequent requests preemptively. We should work the same. This behavior is described in https://datatracker.ietf.org/doc/html/rfc7616#section-3.6 > The”
Failure Signature (Search String)
- ClientDigestMiddleware doesn't work like browsers
- ```python-traceback
Copy-friendly signature
Failure Signature
-----------------
ClientDigestMiddleware doesn't work like browsers
```python-traceback
Error Message
Signature-only (no traceback captured)
Error Message
-------------
ClientDigestMiddleware doesn't work like browsers
```python-traceback
What Broke
Subsequent requests fail to authenticate without a 401 response, causing inefficiencies.
Why It Broke
DigestAuthMiddleware did not implement preemptive authentication as specified in RFC 7616
Fix Options (Details)
Option A — Apply the official fix
Adds preemptive authentication support to DigestAuthMiddleware, allowing it to reuse authentication credentials for subsequent requests, improving efficiency and matching browser behavior.
Fix reference: https://github.com/aio-libs/aiohttp/pull/11129
Last verified: 2026-02-09. Validate in your environment.
When NOT to Use This Fix
- Do not use this fix if you require strict adherence to non-preemptive authentication.
Did This Fix Work in Your Case?
Quick signal helps us prioritize which fixes to verify and improve.
Prevention
- Capture the exact failing error string in logs and tests so you can reproduce via a minimal script.
- Pin production dependencies and upgrade only with a reproducible test that hits the failing path.
Related Issues
No related fixes found.
Sources
We don’t republish the full GitHub discussion text. Use the links above for context.