You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We currently send the assertion in the CB_AUTHNAME field. The latest assertions in production are larger than the max allowed for this field and are causing SASL_BUFOVER to be returned when we try to canonicalize the authname.
result = params->canon_user(params->utils->conn, browser_assertion, 0,
SASL_CU_AUTHZID, oparams);
This causes the server plugin to quit early and auth to fail.
Areas to explore:
User different fields
Figure out max lengths
Make a multi-step protocol based on max output length
???
The text was updated successfully, but these errors were encountered:
I think I was using canon_user wrong on in the client plugin. It was 'working' by accident.
I was calling canon_user with the assertion and audience. I don't need to do this. canon_user should be called on the client side with the user's email address for both user and authname.
I'm currently investigating a two step protocol (instead of 1 step).
Client sends 'assertion NUL audience NUL'
Server sends back 'email NUL'
With this piece of information, the client can call canon_user.
We currently send the assertion in the CB_AUTHNAME field. The latest assertions in production are larger than the max allowed for this field and are causing SASL_BUFOVER to be returned when we try to canonicalize the authname.
result = params->canon_user(params->utils->conn, browser_assertion, 0,
SASL_CU_AUTHZID, oparams);
This causes the server plugin to quit early and auth to fail.
Areas to explore:
The text was updated successfully, but these errors were encountered: