curl-library
RE: [bagder/curl] 0d24f6: sasl: implement EXTERNAL authentication mechanism.
Date: Thu, 29 Jan 2015 10:29:14 +0100
Steve Holme wrote:
> > > * Should we implement support for an empty authentication
identifier (via an empty username) as I believe is allowed in the RFC or
do your modifications already cater for this?
> > Yes, and it's currently done this way. In TLS cases, empty username
tells to use id from cert. Using a non-empty username can only be used
if the server allows to delegate authorizations, such as an
administrator acting for a normaluser. I've never seen such an
implementation, but curl supports it.
> That's what I thought. In the SASL code is it the
Curl_sasl_can_authenticate() that allows this?
Yes. The idea is: check user_passwd to see if some (or both) have been
specified: this is the test part that used to exist in each
protocol-specific modules. Then check the availability and request for
EXTERNAL too, even if no user/password has been provided: this covers
the "no user" external authentication. In possible future needs, we may
alter this procedure for specific cases instead of having to duplicate
the test in each SASL-aware module.
You may also note that non-external mechanisms are skipped if
user_passwd is not set.
Cheers,
Patrick
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-01-29