Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Client-side challenge response authentication #29

Open
ecorm opened this issue Apr 5, 2015 · 2 comments
Open

Client-side challenge response authentication #29

ecorm opened this issue Apr 5, 2015 · 2 comments

Comments

@ecorm
Copy link
Owner

ecorm commented Apr 5, 2015

Implement challenge response authentication, as per the advanced spec.

@ecorm ecorm changed the title Implement challenge response authentication Implement challenge response authentication on client Apr 7, 2015
@ecorm
Copy link
Owner Author

ecorm commented Apr 7, 2015

Client requirements:

  • HELLO.Options.authmethods|list includes "wampcra"
  • HELLO.Options.authid|string is the authentication ID (e.g. username)
  • Receive CHALLENGE messages
  • Compute the HMAC-SHA256 using the shared secret over the challenge.
  • Send AUTHENTICATE messages in response to CHALLENGE
  • Accept WELCOME.Details containing authentication information
  • Allow the client program to forward the challenge to another party. This could be done by registering a callback function.

The client API should also allow the program to pass in a salted password, instead of a verbatim password. This way, the library cannot possibly leak the verbatim password.

Care should be taken so that the secret is wiped (zeroed-out) from memory ASAP.

The spec does not specify what the ABORT.Reason|URI should be if authentication fails. I have raised this issue in wamp-proto/wamp-proto#15.

@ecorm ecorm added the client label Apr 7, 2015
@ecorm ecorm removed the client label Feb 9, 2016
@ecorm
Copy link
Owner Author

ecorm commented May 18, 2022

With the existing authentication API, nothing prevents CppWAMP users from computing the cryptographic signatures themselves using other crypto libraries.

@ecorm ecorm changed the title Implement challenge response authentication on client Client-side challenge response authentication May 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant