2.1.3 Mediated authorization - method SASL

At last we will discuss the most interesting method – mediated authorization. It is based on the following principle: the client will choose authentication mechanism from the offer and thus initiates the authentication process. Authentication information is transferred within the body of the element auth.

In case of the DIGEST mechanism the client sends no information at the beginning, the server replies with auth element, whose body contains “challenge”. Attribute Status has currently the value CONTINUE_NEEDED. The client must generate “response” using credentials and challenge. This response is sent in the body of the auth element to the XML bridge. The server examines the response and issues the verdict – sends element auth, now with empty body, but with attribute Status containing the value OK or LOGON_DENIED.

The process of generating the body of auth element, “tokens”, follows the rules of the selected authentication mechanism. The DIGEST mechanism is specified in [2][1]. Other authentication mechanisms can have more complicated exchange. The communication library does not in any way interpret received tokens. The library is only interested in the value of the Status attribute. If this is OK it means that the authentication process was successful, values CONTINUE_NEEDED, COMPLETE_NEEDED and COMPLETE_AND_CONTINUE say that further interaction is expected from the client, and other values mean that access was denied.

Finally, let us summarize the procedure for mediated authorization using the DIGEST mechanism:

1) after receiving the request for authorization check whether the library offers method SASL and mechanism DIGEST, if yes then;

2) send instruction: <auth Method="SASL" Mechanism="DIGEST"/>;

3) wait for challenge: <auth Method="SASL" Mechanism="DIGEST" Status="CONTINUE_NEEDED"> realm="2N",nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",qop=auth </auth>;

4) send response: <auth Method="SASL" Mechanism="DIGEST">username="NESLADEK",realm="2N", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="NetStar",qop=auth,nc=00000001,cnonce="0a4f113b",response="6629fae49393a05397450978507c4ef1",opaque="5ccc069c403ebaf9f0171e9517f40e41"</auth>;

5) wait for verdict: <auth Method="SASL" Mechanism="DIGEST" Status="OK"/>.
 

=[1] The algorithm of calculation according to [2] needs a parameter, which is in the specification called Method. However, this is not the same parameter as Method attribute of element auth. Calculation of the authentication token must be carried out using the value “MSGB”.