If you are building a self-hosted web page around HttpListener, how can you handle authentication in a secure way? I don't want to use Basic Authentication because it passes credentials as clear text. I know that digest is another option,
listener = new HttpListener();
listener.Prefixes.Add(url);
listener.AuthenticationSchemes = AuthenticationSchemes.Digest;
listener.Start();
Is it secure enough and what are the standard / best practices for actually grabbing the username/password and authenticating them?
In this situation there is no web.config or hosting environment by default.
Using authentication with HttpListener means having Windows do your authentication for you using its built-in authentication system (i.e. ActiveDirectory). This means for digest authentication you need to create domain accounts for your users. Is this what you were intending? If you want to do your own custom authentication, that's a more complicated matter. I won't go into how to do that unless you say that's what you want to do.