added a comment - - edited
In case of MD5 digest authentication, the setUser() method in qauthenticator.cpp should not do anything with the username, just save it as-is (it is defined in BNF as a quoted-string, so neither "backslash" nor "@" have any special meaning). Specifically, it should not reset or clear or change the realm. The realm is read from the challenge and should be kept as-is.
The crucial problem in the commit Martin references is the "d->realm.clear()" part. The code has evolved a bit since then, but IMHO there should not be any special case for QAuthenticatorPrivate::DigestMd5 in the switch, just setting d->user is enough. All other fields are read directly from the challenge or set explicitly.
The bug exists also before bba97ff5e7faecfaf9b3d0cbb0e2d788bdfd5ab9, but would only manifest if the username contained a "backslash" which basically never happens. I don't know which revisions were specified in "works on 4.8" but master and 4.7 branch have the same qauthenticator.cpp at this moment.