-
Type: Improvement
-
Status: Closed
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: cbs-WD03
-
Fix Version/s: cbs-WD04
-
Component/s: Claims Based Security
-
Labels:None
-
Proposal:
If the token set exceeds the frame size for sasl-init, then additional sasl-challenge and sasl-response pairs are required to send the remaining tokens.
Multiple approaches are possible. WD3 uses a simple strawman to encourage discussion. When the server has received all the tokens based on the token count, it stops sending sasl-challenge and sends a sasl-outcome.
Other options include:
• The equivalent of the transfer more field is added to the response data:
RESPONSE = TOKEN-COUNT 1*TOKEN MORE
to indicate whether additional sasl-challenge and sasl-response frames are required to complete the exchange.
• A "magic" value like NUL NUL could follow the last token and signal completion.
• The server always sends an "empty" sasl-challenge and the client responds with an "empty" sasl-response when the exchange is complete. This is especially inefficient if all the tokens are sent in the sasl-init.