-
Notifications
You must be signed in to change notification settings - Fork 122
/
Copy pathxep-0034.xml
250 lines (207 loc) · 12.2 KB
/
xep-0034.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY % ents SYSTEM "xep.ent">
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<xep>
<header>
<title>SASL Integration</title>
<abstract>NOTE WELL: this specification was retracted on 2003-11-05 since the topic is addressed definitively in XMPP Core. Please refer to XMPP Core for further information.</abstract>
&LEGALNOTICE;
<number>0034</number>
<status>Retracted</status>
<type>Standards Track</type>
<sig>Standards</sig>
<approver>Council</approver>
<dependencies/>
<supersedes/>
<supersededby><spec>XMPP Core</spec></supersededby>
<shortname>N/A</shortname>
<author>
<firstname>Robert</firstname>
<surname>Norris</surname>
<email>[email protected]</email>
<jid>[email protected]</jid>
</author>
<author>
<firstname>Jeremie</firstname>
<surname>Miller</surname>
<email>[email protected]</email>
<jid>[email protected]</jid>
</author>
<author>
<firstname>Peter</firstname>
<surname>Saint-Andre</surname>
<email>[email protected]</email>
<jid>[email protected]</jid>
</author>
<revision>
<version>1.1</version>
<date>2003-11-05</date>
<initials>psa</initials>
<remark>The status of this specification has been changed to Retracted since it has been superseded by XMPP Core.</remark>
</revision>
<revision>
<version>1.0</version>
<date>2002-08-13</date>
<initials>psa</initials>
<remark>Changed status to Draft.</remark>
</revision>
<revision>
<version>0.3</version>
<date>2002-07-26</date>
<initials>rn</initials>
<remark>Reworked for server-to-server SASL; added jabber:iq:auth get (as in xmpp-im).</remark>
</revision>
<revision>
<version>0.2</version>
<date>2002-06-05</date>
<initials>rn</initials>
<remark>Fleshed out.</remark>
</revision>
<revision>
<version>0.1</version>
<date>2002-06-03</date>
<initials>psa</initials>
<remark>Initial version based on Jer's notes.</remark>
</revision>
</header>
<section1 topic='Introduction'>
<p>The Simple Authentication and Security Layer (SASL) (see &rfc4422;) provides a generalized method for adding authentication support to connection-based protocols. This document describes a generic XML namespace profile for SASL, that conforms to section 4 of RFC 4422, "Profiling requirements".</p>
<p>This profile may be used for both client-to-server and server-to-server connections. For client connections, the service name used is "jabber-client". For server connections, the service name used is "jabber-server". Both these names are registered in the IANA service registry.</p>
<p>The reader is expected to have read and understood the SASL specification before reading this document.</p>
</section1>
<section1 topic='Protocol'>
<section2 topic="Overview">
<p>In these examples, "client" refers to the remote entity that initiated the connection, either a Jabber client or a Jabber server. "Server" refers to the server that the remote entity is attempting to connect and authenticate to.</p>
<p>The steps involved for a SASL negotiation are as follows:</p>
<ol>
<li>Client requests SASL authentication</li>
<li>Server responds with list of available SASL authentication mechanisms</li>
<li>Client selects mechanism</li>
<li>Server sends a challenge</li>
<li>Client responds to challenge</li>
<li>Server sends more challenges, client sends more responses</li>
</ol>
<p>This series of challenge/response pairs continues until one of three things happens:</p>
<ol>
<li>Client aborts the handshake.</li>
<li>Server reports failure.</li>
<li>Server reports success.</li>
</ol>
<p>After authentication has completed, the client sends a packet to begin the session.</p>
<p>The namespace identifier for this protocol is http://www.iana.org/assignments/sasl-mechanisms.</p>
<p>The following examples show the dialogue between a client [C] and a server [S].</p>
<p>
</p>
</section2>
<section2 topic="Stream initialization">
<p>The client begins by requesting SASL authentication as part of the normal Jabber stream negotiation. <note>In the case of the remote entity being a server, the default namespace in the stream header will be "jabber:server".</note> The server responds by sending the available authentication mechanisms to the client along with the stream information:</p>
<example caption="Stream initialization">
C: <stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xmlns:sasl='http://www.iana.org/assignments/sasl-mechanisms'
to='jabber.org'>
S: <stream:stream xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams'
xmlns:sasl='http://www.iana.org/assignments/sasl-mechanisms'
id='12345678'>
<sasl:mechanisms>
<sasl:mechanism>PLAIN</sasl:mechanism>
<sasl:mechanism>DIGEST-MD5</sasl:mechanism>
<sasl:mechanism>EXTERNAL</sasl:mechanism>
<sasl:mechanisms>
</example>
</section2>
<section2 topic="Mechanism selection and handshake">
<p>Next, the client selects an authentication mechanism:</p>
<example caption="Plaintext mechanism selection">
C: <sasl:auth mechanism='PLAIN'/>
</example>
<p>The server responds with a mechanism-specific challenge, which the client must respond to. More than one challenge/response pair can take place; this is mechanism-specific.</p>
<p>Challenges and responses are Base64<note><link url="http://www.ietf.org/rfc/rfc2045.txt">RFC 2045</link>, section 6.8.</note> encoded.</p>
<example caption="Plaintext handshake">
S: <sasl:challenge/>
C: <sasl:response>cm9iAHNlY3JldA==</sasl:response>
</example>
<example caption="Digest handshake">
S: <sasl:challenge>
cmVhbG09ImNhdGFjbHlzbS5jeCIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIi
xxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz
</sasl:challenge>
C: <sasl:response>
dXNlcm5hbWU9InJvYiIscmVhbG09ImNhdGFjbHlzbS5jeCIsbm9uY2U9Ik
9BNk1HOXRFUUdtMmhoIixjbm9uY2U9Ik9BNk1IWGg2VnFUclJrIixuYz0w
MDAwMDAwMSxxb3A9YXV0aCxkaWdlc3QtdXJpPSJqYWJiZXIvY2F0YWNseX
NtLmN4IixyZXNwb25zZT1kMzg4ZGFkOTBkNGJiZDc2MGExNTIzMjFmMjE0
M2FmNyxjaGFyc2V0PXV0Zi04
</sasl:response>
S: <sasl:challenge>
cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZA==
</sasl:challenge>
C: <sasl:response/>
</example>
<p>For mechanisms that require the client to send data first (ie the first challenge from the server is empty), the client may optionally send its first response as part of the mechanism selection:</p>
<example caption="Plaintext mechanism selection; client sends data first">
C: <sasl:auth mechanism='PLAIN'>cm9iAHNlY3JldA==</sasl:auth>
</example>
</section2>
<section2 topic="Success, failure and client abort">
<p>The handshake continues until authentication completes successfully, authentication fails, or the client aborts the handshake:</p>
<example caption="Authentication success">
S: <sasl:success/>
</example>
<example caption="Authentication failure">
S: <sasl:failure/>
</example>
<example caption="Client abort">
C: <sasl:abort/>
</example>
<p>Optionally, the server or client may send an informative message along with the success, failure or abort command:</p>
<example caption="Authentication failure; optional informative message">
S: <sasl:failure>Plaintext authentication failed (Incorrect username or password)</sasl:failure>
</example>
<p>Following a failure or client abort, the client may start a new handshake. Following a successful authentication, any further attempts by the client to begin a new authentication handshake will automatically result in the server sending a failure.</p>
</section2>
<section2 topic='Session start'>
<p>Note: that this section only applies to client-to-server connections.</p>
<p>Following successful authentication, the client must send a standard IQ set packet in the jabber:iq:auth namespace to start a session. The client must supply a username and resource for the session along with this packet.</p>
<example caption="Session start after successful authentication">
C: <iq id="a1" type="get">
<query xmlns="jabber:iq:auth">
<username>rob</username>
</query>
</iq>
S: <iq id="a1" type="result">
<query xmlns="jabber:iq:auth">
<username>rob</username>
<resource/>
</query>
</iq>
C: <iq id="a2" type="set">
<query xmlns="jabber:iq:auth">
<username>rob</username>
<resource>laptop</resource>
</query>
</iq>
S: <iq id="a2" type="result">
<query xmlns="jabber:iq:auth"/>
</iq>
</example>
<p>If the client attempts to start a session before authenticating, or the username given in the jabber:iq:auth packet does not match the username given in the authentication credentials (when the SASL mechanism supports it), the server will return a 401 (Unauthorized) error packet.</p>
</section2>
</section1>
<section1 topic='Support for existing authentication methods'>
<p>Traditionally, Jabber servers have supported two authentication models - jabber:iq:auth for client-to-server authentication, and dialback for server-to-server authentication.</p>
<section2 topic='Legacy client-to-server authentication support'>
<p>Until SASL authentication is in widespread use, clients and servers may support both SASL and the legacy jabber:iq:auth authentication system for client-to-server connections. Note that neither the client nor the server are required to support legacy authentication; it is simply a courtesy to users until the majority of clients and servers support SASL authentication.</p>
<p>If a client connects and does not request the use of SASL (that is, the SASL profile namespace identifier does not appear in the stream initializer response), then the server should disable SASL for this connection; that is, it should not add the SASL profile namespace identifier to the stream initialization response, nor should it offer any SASL mechanisms.</p>
<p>If a client connects to a server that does not support SASL (identified by the lack of the SASL profile namespace identifier in the stream initializer response, even though the client requested it), the client may choose to fall back to use legacy authentication.</p>
</section2>
<section2 topic='Dialback support for server-to-server authentication'>
<p>SASL authentication for server-to-server connections is not intended to replace dialback, as there are uses for both. Dialback is useful in an uncontrolled environment, such as the global Internet, where it is necessary to verify the identity of the remote server. SASL authentication has uses in a more controlled environment, where the administrator wishes to restrict access to a certain number of known remote servers.</p>
<p>To this end, the use of dialback is not deprecated. If a remote server connects and requests the use of dialback (by specifying the "jabber:server:dialback" namespace, the the local server shall not offer SASL authentication. Similarly, if the remote server connects and requests the use of SASL authentication, then the local server shall not offer dialback. In the event that the remote server requests both, the local server should terminate the stream immediately and close the connection. If the remote server requests neither, then the local server may choose to support the pre-dialback server-to-server stream, but it is recommended that the local server terminate the stream and close the connection.</p>
</section2>
</section1>
</xep>