In this RFC: https://www.rfc-editor.org/rfc/rfc2617#page-8 we have this:
3.2.1 The WWW-Authenticate Response Header
If a server receives a request for an access-protected object, and an acceptable Authorization header is not sent, the server responds with a "401 Unauthorized" status code, and a WWW-Authenticate header as per the framework defined above, which for the digest scheme is utilized as follows:
challenge = "Digest" digest-challenge digest-challenge = 1#( realm | [ domain ] | nonce | [ opaque ] |[ stale ] | [ algorithm ] | [ qop-options ] | [auth-param] ) domain = "domain" "=" <"> URI ( 1*SP URI ) <"> URI = absoluteURI | abs_path nonce = "nonce" "=" nonce-value nonce-value = quoted-string opaque = "opaque" "=" quoted-string stale = "stale" "=" ( "true" | "false" ) algorithm = "algorithm" "=" ( "MD5" | "MD5-sess" | token ) qop-options = "qop" "=" <"> 1#qop-value <"> qop-value = "auth" | "auth-int" | tokenThe meanings of the values of the directives used above are as
In understand that | means concatenation, [] means that the thing can or can not appear. What does 1# mean? What about <"> and 1*SP?
On the RFC begining there's no explanation for these.
You are looking at outdated documents. For this piece, you should look at RFC 7235.
ABNF is defined in RFC 5234 (wtih extensions from RFC 7231). You should find those references based on the section "Syntax Notation" in RFC 7235.
(and, for FWIW, RFC 2617 points to the definitions as well, see Section 1.1).