OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

mqtt message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (MQTT-432) Consider adding return code of "Authentication failed"

    [ https://issues.oasis-open.org/browse/MQTT-432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=66275#comment-66275 ] 

Ken Borgendale commented on MQTT-432:

It is bad security practice to tell a client the reason they are not authorized.  Such information can be put in some other location for the use by authorized admins.

This was discussed during v3.1.1 meetings over the meaning of the 4 return code which in v3.1 is "Bad user name or password" which had been interpreted as a "not authenticated" return code.  The description was change to clarify that this indicated that the user name or password is malformed.  There was a further attempt to reword this as the 134 (0x86) return code in v5.0.  

I think it is highly inappropriate to ever use even that return code, as if the client sends me a user name or password that is not valid I am quite unwilling to say anything but a generic not authorized, and I am not sure I always want to return even that.

So consider the example of a user name not being valid UTF-8.  I might consider this a malformed packet or I might consider this a bad user name.  I might consider this an implementation specific error, or I might consider the user to be not authorized to send in a n invalid user name.  Having selected one of these, I can then decide to send a CONNACK  with one of these return codes, or to just close the network connection without informing the client of why.  

> Consider adding return code of "Authentication failed"
> ------------------------------------------------------
>                 Key: MQTT-432
>                 URL: https://issues.oasis-open.org/browse/MQTT-432
>             Project: OASIS Message Queuing Telemetry Transport (MQTT) TC
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 5, wd13
>            Reporter: Richard Coppen
> There is no return code on CONNACK and DISCONNECT for  "Authentication Failed". The general guidance is to use "Not Authorised". This seems a little confusing as the Client can't be authorised as it's not yet authenticated. This might make debug more difficult and lead to some implementation confusion.
> We do make the distinction elsewhere in the spec e.g., 
> User Name
> If the User Name Flag is set to 1, the User Name is the next field in the Payload. The User Name MUST be a UTF-8 Encoded String as defined in Section 1.5.4 [MQTT-3.1.3-10]. It can be used by the Server for authentication and authorization.

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]