Once the client has received the WWW-Authenticate header from the server, they are responsible for building out their Digest response using the hashing algorithm that's specified (or the default MD5, if unspecified) by the server. To do so, they follow a series of procedures for one-way hashing their passwords using the hashing algorithm, and then hashing a combination of their username, the nonce value returned by the server, and their password.
The user creates a hash value with their username, the realm, and their password, with each separated by a colon. Assuming the server specified SHA-256, this creates a value designated as HA1, as shown here:
HA1 = SHA256(username:realm:password)
Then they ...