-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to specify SASL authorization identity #feature-request #3653
Comments
I've updated the function signature of the PLAIN message creation function to allow us to pass authorisation identity separately to the authentication identify - in PR #3757. The calling code simply passes the connection's username into both the authzid and authcid parameters to maintain current functionality at present. To add this feature, I believe we need to somehow pass the two identies separately now... The questions I have:
Note: As this operation is performed in the main SASL authentication code it will affect other protocols such as SMTP and POP3 and not just IMAP. |
Thanks, but this description sounds as if you're asking for a new feature/change. We use this tracker for bugs and issues only, we put ideas to work on in the future in the TODO document. We basically drown in good ideas so they don't do much use in our tracker. So, this issue will be closed soon. |
Would it still be possible to be updated here once it's implemented? Thanks a lot @captain-caveman2k for making progress :) (I flagged as feature request since the label exists, which is strange if you don't accept them here. But we could argue that non-respect to RFC is a bug.) |
We have the label here since we can't prevent people from submitting feature-requests even if we wanted to, and when we do get them, we flag them accordingly.
It depends. We auto-lock closed issues after N days (which prevents users from commenting further in them) so it will depend on when/if such an implementation is done. But presumably if this is worked on further, it will be done with new pull-requests and it will even appear in a changelog down the line if it lands in master... |
I'm happy to work on the implementation of this - as I've already worked on the email protocols quite a bit since 2011 (not so much over the last 2 years though - so here I am trying to get back into curl://development as I still enjoy developing as a pass time). Does anyone have any views/input on my questions above? |
I'm not a member, so forgive me for exposing my POV if it's not appropriate. I would stay BC as much as possible so:
|
Ah yes - I had missed the fact that it was optional :( I now see from the RFC that we would, in that case, simply specify the following: UTF8NUL authcid UTF8NUL passwd Then the server will derives the authorization id. From what I can see, there doesn't appear to be a way of the server telling the client what that derived id is - so in that respect we don't need an API to extract it from libcurl. So in summary I think a new string option such as CURLOPT_SASL_AUTHZID in lib curl (and an appropriate command line option in curl) to be able to specify this. At present I can't see any existing options that we can hijack but if anyone has any suggestions for an alternative/more generic name please feel free to make them. |
I've added my first patch set in PR #3790. Please note it is not yet complete - but it gives you an idea of what I think we need. |
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes curl#3653 Closes curl#3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #xxxx
- Change data and protocol sections to CRLF line endings. Prior to this change the tests would fail or hang, which is because certain sections such as protocol require CRLF line endings. Follow-up to grandparent commit which added the tests. Ref: curl#3653 Ref: curl#3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #xxxx
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes curl#3653 Closes curl#3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #xxxx
- Change data and protocol sections to CRLF line endings. Prior to this change the tests would fail or hang, which is because certain sections such as protocol require CRLF line endings. Follow-up to grandparent commit which added the tests. Ref: curl#3653 Ref: curl#3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #xxxx
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes #3653 Closes #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #4186
- Change data and protocol sections to CRLF line endings. Prior to this change the tests would fail or hang, which is because certain sections such as protocol require CRLF line endings. Follow-up to grandparent commit which added the tests. Ref: #3653 Ref: #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #4186
I request this
In the RFC 4616 the Plain SASL Mechanism defines 3 parts:
The authzid is optional and the server should derive it from authcid if not provided (The client is also free to re-use the same value as authcid when building the authentication string).
Right now it looks like CURLOPT_USERPWD (
user:pwd
) will useauthzid=user
authcid=user
andpasswd=pwd
when building the authentication string (or maybe it omits theauthzid
, I'm not sure since I didn't find the code associated with that feature).It looks like cURL has no way of using an authorization identity (to act as) different than the authentication identity. This is sometimes required, for example to connect to an O365 shared inbox (the inbox is the identity to act as, but is access using the identity of a real user account).
Possible implementations (suggestions)
authzid
/act_as
thingact_as:user:password
).The text was updated successfully, but these errors were encountered: