OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

amqp message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [amqp] [OASIS Issue Tracker] (AMQP-104) SASL Outcome: differentiating application-data based on code


I just read the small print for additional-data in SASL Outcome. See below.

Since the primary scenario for the SASL AMQPCBS mechanism is seeding the token cache, I'd propose that we do not support optional token validation as discussed on the 5/5/17 TC call.

While it provides fast-fail, there's no additional diagnostic information to identify the token that failed validation due to the application-data constraint.

Thoughts?

-----Original Message-----
From: amqp@lists.oasis-open.org [mailto:amqp@lists.oasis-open.org] On Behalf Of OASIS Issues Tracker
Sent: Wednesday, June 14, 2017 5:42 PM
To: amqp@lists.oasis-open.org
Subject: [amqp] [OASIS Issue Tracker] (AMQP-104) SASL Outcome: differentiating application-data based on code


    [ https://issues.oasis-open.org/browse/AMQP-104?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=66578#comment-66578 ] 

Brian Raymor commented on AMQP-104:
-----------------------------------

Just noticed that additional-data cannot be set for validation failures. From AMQP Core 5.3.3.5 SASL Outcome:

The additional-data field carries additional data on successful authentication outcome as specified by the SASL specification [RFC4422]. If the authentication is unsuccessful, this field is not set.

RFC4422 - https://tools.ietf.org/html/rfc4422#section-3.6 (strangely non-normative):

   The protocol may include an optional additional data field in this
   outcome message.  This field can only include additional data when
   the outcome is successful.


> SASL Outcome: differentiating application-data based on code
> ------------------------------------------------------------
>
>                 Key: AMQP-104
>                 URL: https://issues.oasis-open.org/browse/AMQP-104
>             Project: OASIS Advanced Message Queuing Protocol (AMQP) TC
>          Issue Type: Improvement
>          Components: Claims Based Security
>    Affects Versions: cbs-WD03
>            Reporter: Brian Raymor
>            Assignee: Brian Raymor
>             Fix For: cbs-WD04
>
>
> The current text:
> If the exchange was unsuccessful, the additional-data field in the sasl-outcome frame body contains a list of error message strings for token names which caused the authentication to fail. 
> //
> What about more general failures such as 5 tokens were promised but 4 were transferred?
> Do we want to differentiate the contents of additional-data based on the value of the code field?
> 0 Connection authentication succeeded.
> 1 Connection authentication failed due to an unspecified problem with the supplied credentials.
> 2 Connection authentication failed due to a system error.
> 3 Connection authentication failed due to a system error that is unlikely to be corrected without intervention.
> 4 Connection authentication failed due to a transient system error.



--
This message was sent by Atlassian JIRA
(v6.2.2#6258)

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]