[Standards-JIG] UPDATED: XEP-0178 (Best Practices for Use of SASL EXTERNAL)

Matthias Wimmer m at tthias.eu
Tue Nov 28 14:35:58 UTC 2006

Hi Mridul!

Mridul schrieb:
> You are right about differing in authentication and authorization :
> hence in normal case, you could authenticate as userA thru SASL and
> authorize (bind) as userB.

No you can't. On the one hand because SASL already does authorziation
(by RFC 2222/4422) and on the other hand because resource binding only
does select the resource of the client, you cannot pass an authorization
identity with the bind request.

> In this specific context - you already did your auth as userA (through
> tls), and the bind for authorization comes at a later stage. SASL
> External is just indicating that you want to reuse the auth creds as
> negotiated by the underlying tls session and not provide another set of
> creds using sasl plain or digest-md5, etc.


It is correct, that SASL EXTERNAL does not do authentication itself, but
indicates, that authentication, that has done using some other means,
should be used. But SASL EXTERNAL will always do authorization.
SASL EXTERNAL (RFC 4422, appendix A) will authorize you has the same
identity as you authenticated if you do not pass an authorization
identity in the SASL EXTERNAL handshake.

Tot kijk

Matthias Wimmer      Fon +49-700 77 00 77 70
Züricher Str. 243    Fax +49-89 95 89 91 56
81476 München        http://ma.tthias.eu/

More information about the Standards mailing list