OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

amqp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (AMQP-105) AMQPCBS: Indicating that multiple challenge-responses are required to transmit token set

    [ https://issues.oasis-open.org/browse/AMQP-105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65755#comment-65755 ] 

Brian Raymor commented on AMQP-105:

Rob Godfrey had additional related comments:

One thing we should define is the expected behaviour if one or more tokens are invalid.  Does the SASL exchange fail at the first invalid token, or do we continue until the end and then fail?  Should we provide guidance that the server should timeout and fail the authentication if all promised tokens are not sent / a reponse with more=true is not followed by any more responses?  This is not really CBS specific (the core doc should say something about how to behave if the client does not send a response in a "reasonable" amount of time).


My response about when the failure occurs:

Based on the current design proposed by Clemens, the SASL exchange does NOT fail at the first invalid token.  A set of errors is returned in the sasl-outcome as needed. 

> AMQPCBS: Indicating that multiple challenge-responses are required to transmit token set
> ----------------------------------------------------------------------------------------
>                 Key: AMQP-105
>                 URL: https://issues.oasis-open.org/browse/AMQP-105
>             Project: OASIS Advanced Message Queuing Protocol (AMQP) TC
>          Issue Type: Improvement
>          Components: Claims Based Security
>    Affects Versions: cbs-WD03
>            Reporter: Brian Raymor
>            Assignee: Brian Raymor
>             Fix For: cbs-WD04
> If the token set exceeds the frame size for sasl-init, then additional sasl-challenge and sasl-response pairs are required to send the remaining tokens.
> Multiple approaches are possible. WD3 uses a simple strawman to encourage discussion. When the server has received all the tokens based on the token count, it stops sending sasl-challenge and sends a sasl-outcome.
> Other options include:
> •  The equivalent of the transfer more field is added to the response data:
> to indicate whether additional sasl-challenge and sasl-response frames are required to complete the exchange.
> •  A "magic" value like NUL NUL could follow the last token and signal completion.
> • The server always sends an "empty" sasl-challenge and the client responds with an "empty" sasl-response when the exchange is complete. This is especially inefficient if all the tokens are sent in the sasl-init.

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]