0

I am trying to create an XMPP server library for an XMPP-based application I will be developing. I am stuck on trying to authenticate the client with plain SASL. I have already read the RFC at https://www.rfc-editor.org/rfc/rfc6120#section-6.4.6

My problem is that after sending a <success />, receiving and sending a new open tag and an empty features list, the client (Pidgin) proceeds to authenticate using non-SASL authentication. This is a log of the communication (<< means incoming, >> outgoing):

<<  <?xml version='1.0' ?><stream:stream to='127.0.0.1' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>

>>  <?xml version="1.0" ?>
>>  <stream:stream version="1.0" xmlns="jabber:server" xmlns:stream="http://etherx.jabber.org/streams" id="kanapka" from="127.0.0.1">
>>  <stream:features>
>>  <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
>>  <mechanism>
>>  PLAIN
>>  </mechanism>
>>  </mechanisms>
>>  </stream:features>

<<  <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN' xmlns:ga='http://www.google.com/talk/protocol/auth' ga:client-uses-full-bind-result='true'>AHRlc3R1c2VyAHRlc3RwYXNz</auth>

>>  <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl" />

<<  <stream:stream to='127.0.0.1' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>

>>  <?xml version="1.0" ?>
>>  <stream:stream version="1.0" xmlns="jabber:server" xmlns:stream="http://etherx.jabber.org/streams" id="hotdog" from="127.0.0.1">
>>  <stream:features />

<<  <iq type='get' id='purple46cbc043'><query xmlns='jabber:iq:auth'><username>testuser</username></query></iq>

I am not yet using TLS, nor have I tried any other SASL mechanism. This is all plain text.

This is the same TCP connection, the IDs of streams are different. What is the problem here?

Community
  • 1
  • 1
M3L
  • 430
  • 1
  • 5
  • 8

1 Answers1

1

You're not advertising support for resource binding, so the client can't complete the session setup. It seems Pidgin decides then to fall back on jabber:iq:auth (pre-XMPP style) if the server doesn't support XMPP-style stream setups.

You'll want to take a look at https://www.rfc-editor.org/rfc/rfc6120#section-7 as "Support for resource binding is REQUIRED in XMPP client and server implementations." and "The parties to a stream MUST consider resource binding as mandatory-to-negotiate."

While implementing XMPP by looking at what other implementations do, rather than following the specs, is not a good idea, sometimes taking a glance at another implementation's stream can give a clue when you get stuck like this.

Community
  • 1
  • 1
Kev
  • 2,234
  • 1
  • 12
  • 6