[AMQP-105] AMQPCBS: Indicating that multiple challenge-responses are required to transmit token set - OASIS Technical Committees Issue Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: cbs-WD03
Fix Version/s: cbs-WD04
Component/s: Claims Based Security
Labels:
None

Proposal:

Hide

Based on the 5/5/17 TC call, there was agreement to:

1. Use NUL NUL to signal that the response contains the final token
2. To allow optional validation - but fast-fail on the first validation error

Show
Based on the 5/5/17 TC call, there was agreement to: 1. Use NUL NUL to signal that the response contains the final token 2. To allow optional validation - but fast-fail on the first validation error

Description

If the token set exceeds the frame size for sasl-init, then additional sasl-challenge and sasl-response pairs are required to send the remaining tokens.

Multiple approaches are possible. WD3 uses a simple strawman to encourage discussion. When the server has received all the tokens based on the token count, it stops sending sasl-challenge and sends a sasl-outcome.

Other options include:

• The equivalent of the transfer more field is added to the response data:

RESPONSE = TOKEN-COUNT 1*TOKEN MORE

to indicate whether additional sasl-challenge and sasl-response frames are required to complete the exchange.

• A "magic" value like NUL NUL could follow the last token and signal completion.

• The server always sends an "empty" sasl-challenge and the client responds with an "empty" sasl-response when the exchange is complete. This is especially inefficient if all the tokens are sent in the sasl-init.

Attachments

Activity

People

Assignee:

Brian Raymor [X] (Inactive)

Reporter:

Brian Raymor [X] (Inactive)

Watchers:

1 Start watching this issue

Dates

Created:

31/Mar/17 5:54 PM

Updated:

07/Aug/17 5:27 PM

Resolved:

14/Jun/17 11:53 PM