[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)
m at tthias.eu
Tue Nov 28 14:35:58 UTC 2006
> You are right about differing in authentication and authorization :
> hence in normal case, you could authenticate as userA thru SASL and
> authorize (bind) as userB.
No you can't. On the one hand because SASL already does authorziation
(by RFC 2222/4422) and on the other hand because resource binding only
does select the resource of the client, you cannot pass an authorization
identity with the bind request.
> In this specific context - you already did your auth as userA (through
> tls), and the bind for authorization comes at a later stage. SASL
> External is just indicating that you want to reuse the auth creds as
> negotiated by the underlying tls session and not provide another set of
> creds using sasl plain or digest-md5, etc.
It is correct, that SASL EXTERNAL does not do authentication itself, but
indicates, that authentication, that has done using some other means,
should be used. But SASL EXTERNAL will always do authorization.
SASL EXTERNAL (RFC 4422, appendix A) will authorize you has the same
identity as you authenticated if you do not pass an authorization
identity in the SASL EXTERNAL handshake.
Matthias Wimmer Fon +49-700 77 00 77 70
Züricher Str. 243 Fax +49-89 95 89 91 56
81476 München http://ma.tthias.eu/
More information about the Standards