Im talking about the Openfire server. Im not sure how all the auth stuff passes through for httpbinding- maybe someone else can chime in on that topic.
From the sounds of it, your javascript libraries are not generating the DIGEST-MD5 in a way Openfire likes. I ran into this with a few clients. DIGEST-MD5 has a way of using your last login as a “shortcut” to authenticate again. Which with httpbinding this may be the case- but Openfire dosnt seem to support that style of DIGEST-MD5. You might try switching to just PLAIN for testing, and maybe figure out whats going on with DIGEST-MD5 later.
In Openfire you can configure which mechanisms are advertised in openfire.xml by doing adding a sasl stanza:
<sasl>
<mechanisms>PLAIN</mechanisms>
</sasl>