Opened 11 years ago

Closed 11 years ago

#554 closed enhancement (worksforme)

Automatically detect the realm for authenticating against IMS servers, so that application/user doesn't have to fill in the realm value beforehand, to simplify provisioning (thanks Philippe Leuba for the suggestion)

Reported by: bennylp Owned by: bennylp
Priority: normal Milestone: release-1.0-rc1
Component: pjsip Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description

Problem description:

In the old registration sequence, we sent a first REGISTER request without Authorization header that was challenged with a nonce and a second REGISTER request with username and response.

However in IMS, the server is unable to send the right nonce as long as it does not have received the private identity in the username. So the second REGISTER is rejected again with a new nonce.

With the pjsip_auth_clt_pref stucture, we can configure the initial REGISTER to contain an empty Authorization header, with just a realm, username and uri. This way the server can challenge it with the right nonce as it know the username and the second REGISTER request can succeed.

However, this sequence force the user to know the realm in advance as the ‘*’ wildcard can not be used here. This complicates the provisioning and is source of more problems of support.

Basic Idea:

One way to prevent the provisioning of this realm:

  • Send a first REGISTER request without Authorization header
  • Receive back the realm and a provisional nonce
  • Send a second REGISTER request with Authorization header, filled with the username, realm, response, etc
  • Receive back the realm and the definitive nonce associated with the username
  • Send a third REGISTER request with Authorization header, filled with the username, realm, final response, etc

Proposed solution:

We can add support to putting wildcard ("*") for IMS, which will activate three stage auth as explained above. So when sending empty Authorization setting is set and when the realm is wildcard, the auth framework will do the three stage auth as above.

Drawback:

With above, authentication for all requests will use three stage authentication, which will increase message round-trips. However this is deemed acceptable as it happens only when application specifies wild-card as the realm.

Change History (3)

comment:1 Changed 11 years ago by bennylp

In r2109:

  • related to this ticket, this changeset handles the case where server rejects Authorization because of incorrect nonce but fails to set stale parameter to true. In this case we will retry the authentication as long as the nonce in the challenge is different than current nonce. This could potentially solve this ticket.

comment:2 Changed 11 years ago by bennylp

In r2110 and r2111:

  • Added testing module for various authentication scenarios

comment:3 Changed 11 years ago by bennylp

  • Resolution set to worksforme
  • Status changed from new to closed

For now conclude that this issue has been fixed by r2109 above. With this changeset, what application should do is:

  • set realm to wildcard ("*") as usual
  • disable sending initial/empty Authorization header
  • and that's it.
Note: See TracTickets for help on using tickets.