RFC2617 about HTTP authentication was obsoleted by RFC7616 (among others) already 6 years ago
RFC7616 brought to us SHA256 and SHA512 as the preferred hash algorithms for digest authentication, while it maintained the old MD5 algorithm (according to RFC2617) for backwards compatibility.
Now Firefox 93 is one of the first witch supports the better SHA algorithms for digest authentication. And with that a 13 years old feature request has finally been closed. see: https://bugzilla.mozilla.org/show_bug.cgi?id=472823
Now the problem with Epiphany is that it not only does not support the new algorithms but also bails out when a web service offers algorithms by more than one WWW-Authenticate: header. Instead it should ignore those headers with algorithms that it does not know, which is in the moment all but MD5.
Here is a debug session of my embedded web server which runs in FreeBSD on ARM SoCs with the latest Firefox 93:
The web service asks for authentication, offering SHA256 besides the old MD5 algorithm:
HTTP/1.1 401 Unauthorized
Date: Tue, 05 Oct 2021 21:05:59 GMT
Server: CyControl/1.0 (r907M)
WWW-Authenticate: Digest realm="MyDevice",qop="auth",algorithm=SHA-256, nonce="5bbcbe824b4b4db3c6bb7fd1db6b941a5c715ff0245134c6e3a1b20d0d53296e00000000"
WWW-Authenticate: Digest realm="MyDevice",qop="auth",algorithm=MD5,nonce="5bbcbe824b4b4db3c6bb7fd1db6b941a5c715ff0245134c6e3a1b20d0d53296e00000000"
Content-Length: 176
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache`
According to RFC7616, Firefox 93 chooses the better authentication method SHA256 from the both which were offered:
GET /.cysim.html HTTP/1.1
Host: 192.168.0.17
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Authorization: Digest username="rolf, realm="MyDevice", nonce="5bbcbe824b4b4db3c6bb7fd1db6b941a5c715ff0245134c6e3a1b20d0d53296e00000000", uri="/.cysim.html", algorithm=SHA-256, response="9d130b3f2d9afd9a013fdd4b5338cd96c43ceeebdcedd16df831f8a60c17c501", qop=auth, nc=00000001, cnonce="303250ae0020844e"
Now, Epiphany does not understand the first WWW-Authenticate: header and shows to the user the error page. Instead it should do the authentication with the MD5 algorithm which it knows.
My embedded server does now offer only the MD5-WWW-Authenticate: header once it is called by Epiphany, however besides Firefox 93 also Opera reportedly supports the new schemes as well and perhaps it will not take long until first popular web servers start to send more then one WWW-Authenticate: headers to the clients according to RFC7616. Latest then Epiphany needs to at least ignore WWW-Authenticate: headers which it does not support, instead of reporting the error page.