Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-535

Add the ability to handle password updates and resets for the OTP SASL mechanism

    XMLWordPrintable

    Details

    • Type: Feature Request
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.Beta6
    • Component/s: SASL
    • Labels:
      None

      Description

      For the OTP SASL mechanism, the stored credential needs to be updated once a guess has been verified. In the standard case, this involves updating the stored hash based on the guess and decrementing the sequence number by 1. The OTP SASL mechanism also supports OTP sequence resets, where a user provides both a guess and a new OTP password with new parameters. If verification of the guess succeeds, then the stored credential is updated based on the new password and new parameters. However, if verification of the guess succeeds but the new password/parameters are invalid, then the stored hash is updated based on the guess and the sequence number is decremented by 1, as in the non-reset case (note that SASL auth fails in this case though).

      PR #277 adds handling for a CredentialUpdateCallback in ServerAuthenticationContext. This is used to handle both the OTP sequence reset case as well as the non-reset case. Instead of manipulating the realm identity directly in the SAC callback handler, we should be able to make use of realm events so that the realm itself can handle OTP updates and resets.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              fjuma Farah Juma
              Reporter:
              fjuma Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: