Bug: Digest Auth uses incorrect nonce when multiple WWW-Authenticate headers are present

[KIM-JEHO]

Is there an existing issue for this?

• I have searched the tracker for existing similar issues and I know that duplicates will be closed

Describe the Issue

When a server responds with multiple WWW-Authenticate headers using different algorithms (MD5 and SHA-256), Postman selects algorithm="SHA-256" but incorrectly uses the nonce from the MD5 challenge.

Server Response Example:

WWW-Authenticate: Digest realm="TEST_REALM", nonce="63230a...e94bb", algorithm=MD5, qop="auth"
WWW-Authenticate: Digest realm="TEST_REALM", nonce="62230a...f37d", algorithm=SHA-256, qop="auth"

Postman Request Example:

Authorization: Digest username="test_user", realm="TEST_REALM", nonce="63230a...e94bb", algorithm="SHA-256", ...

Steps To Reproduce

1.Add request
2.request any digest auth URL
3.Select Authorization Tab
4.Select Digest Auth Auth Type
5.Select SHA-256 Algorithm
5.Send request

Screenshots or Videos

No response

Operating System

Windows

Postman Version

11.61.5

Postman Platform

Postman App

User Account Type

Signed In User

Additional Context?

This causes authentication failure on devices that strictly validate nonce-algorithm pairing, such as IP cameras using RFC 7616-compliant digest auth.

[appurva21]

Thanks for the report @KIM-JEHO! I can reproduce this and have confirmed it’s a bug. We’ve queued it for a fix and will update this thread once it’s released

[appurva21]

Hi @KIM-JEHO! This is now fixed with the latest release of the Postman App (v11.62.2).