Uploaded image for project: 'OASIS Advanced Message Queuing Protocol (AMQP) TC'
  1. OASIS Advanced Message Queuing Protocol (AMQP) TC
  2. AMQP-104

SASL Outcome: differentiating application-data based on code

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: cbs-WD03
    • Fix Version/s: cbs-WD04
    • Component/s: Claims Based Security
    • Labels:
      None
    • Proposal:
      Hide

      During the 5/5/17 TC call, we agreed to:

      1. Use "NUL NUL" as a terminator for the token list rather than a prefixed token count.
      2. Allow optional validation of tokens with fast-failure

      These changes simplify sasl-outcome.

      • If optional validation is NOT used, then sasl-outcome.code is set to 0 and sasl-outcome.additional-data is empty.
      • If optional validation is used and no failure occurs, then sasl-outcome.code is set to 0 and sasl-outcome.additional-data is empty.
      • If optional validation is used and fails, no further token processing occurs (fast fail), then sasl-outcome is set to 1 and sasl-outcome.additional-data contains the name and one-relative list index of the token that caused the error.
      • Other error conditions MAY set sasl-outcome.code to values between 2-4 and MAY return diagnostic information in sasl-outcome.additional-data.
      Show
      During the 5/5/17 TC call, we agreed to: 1. Use "NUL NUL" as a terminator for the token list rather than a prefixed token count. 2. Allow optional validation of tokens with fast-failure These changes simplify sasl-outcome. If optional validation is NOT used, then sasl-outcome.code is set to 0 and sasl-outcome.additional-data is empty. If optional validation is used and no failure occurs, then sasl-outcome.code is set to 0 and sasl-outcome.additional-data is empty. If optional validation is used and fails, no further token processing occurs (fast fail), then sasl-outcome is set to 1 and sasl-outcome.additional-data contains the name and one-relative list index of the token that caused the error. Other error conditions MAY set sasl-outcome.code to values between 2-4 and MAY return diagnostic information in sasl-outcome.additional-data.

      Description

      The current text:

      If the exchange was unsuccessful, the additional-data field in the sasl-outcome frame body contains a list of error message strings for token names which caused the authentication to fail.

      //

      What about more general failures such as 5 tokens were promised but 4 were transferred?

      Do we want to differentiate the contents of additional-data based on the value of the code field?

      0 Connection authentication succeeded.
      1 Connection authentication failed due to an unspecified problem with the supplied credentials.
      2 Connection authentication failed due to a system error.
      3 Connection authentication failed due to a system error that is unlikely to be corrected without intervention.
      4 Connection authentication failed due to a transient system error.

        Attachments

          Activity

            People

            • Assignee:
              brianraymor Brian Raymor [X] (Inactive)
              Reporter:
              brianraymor Brian Raymor [X] (Inactive)
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: