Skip to content

Onvif User Authentication


Information in this page may be outdated.

According to the Onvif user authentication flow, the device service shall: * Implement WS-Usernametoken according to WS-security as covered by the core specification. * Implement HTTP Digest as covered by the core specification.

The spec can refer to



When the Onvif camera requires authentication through WS-UsernameToken, the device service must set user information with the appropriate privileges in WS-UsernameToken.

This use case contains an example of setting that user information using GetHostname.

WS-UsernameToken requires the following parameters: * Username – The user name for a certified user. * Password – The password for a certified user. According to the ONVIF specification, Password should not be set in plain text. Setting a password generates PasswordDigest, a digest that is calculated according to an algorithm defined in the specification for WS-UsernameToken: Digest = B64ENCODE( SHA1( B64DECODE( Nonce ) + Date + Password ) ) * Nonce – A random string generated by a client. * Created – The UTC Time when the request is made.

For example:

curl --request POST '' \
    --header 'Content-Type: application/soap+xml' \
    -d  '<?xml version="1.0" encoding="UTF-8"?>
    <soap-env:Envelope xmlns:soap-env="" ...>
            <Security xmlns="">
                    <Password Type="">
                    <Nonce EncodingType="">
                    <Created xmlns="">

The spec can refer to

You can inspect the request by network tool like the Wireshark: onvif-user-authentication-usernametoken

HTTP Digest

The Digest scheme is based on a simple challenge-response paradigm and the spec can refer to

The authentication follow can be illustrated as below: 1. The device service sends the request without the acceptable Authorization header. 2. The Onvif camera return the response with a "401 Unauthorized" status code, and a WWW-Authenticate header. - The WWW-Authenticate header contains the required data - qop: Indicates what "quality of protection" the client has applied to the message. - nonce: A server-specified data string which should be uniquely generated each time a 401 response is made. The onvif camera can limit the time of the nonce's validity. - realm: name of the host performing the authentication - And the device service will put the qop, nonce, realm in the header at next request 3. The device service sends the request again, and the Authorization header must contain: - qop: retrieve from the previous response - nonce: retrieve from the previous response - realm: retrieve from the previous response - username: The user's name in the specified realm. - uri: Request uri - nc: The nc-value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request. - cnonce: A random string generated by a client. - response: A string of 32 hex digits computed as defined below, which proves that the user knows a password. - MD5( hash1:nonce:nc:cnonce:qop:hash2) - hash1: MD5(username:realm:password) - hash2: MD5(POST:uri)

  1. The Onvif camera return the response with a "200 OK" status code

Inspect the request by the Wireshark: onvif-user-authentication-flow