Digest authentication looks like a flavor of challenge-response mechanism: theres's a random string which is mixed with the password (MD5 or something) by both the client and the server and only the result of such mixing is sent over the network.
Usually the challenge ("nonce") is chosen by the server and sent to the client. Wikipedia article on digest authentication lists a sample "session" - the challenge ("nonce") is chosen by the server there. I tested the same with IIS on my machine - again, the challenge is generated by IIS.
But in some posts like this one the challenge is generated by the client - the client just generates a random string and sends a request with the challenge and the product of the password and that challenge.
Is the latter allowed and widely accepted? Is the client allowed to choose the challenge ("nonce")?
In HTTP digest authentication, the server always generates the nonce.
However, HTTP authentication is extensible, and applications may implement other methods of authentication (beyond basic and digest). In the example you link to, the client is authenticating using WSSE, a form of authentication for (mainly SOAP-based) web services. In WSSE, the client generates the nonce.