Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-535

Add the ability to handle password updates and resets for the OTP SASL mechanism

    XMLWordPrintable

Details

    • Feature Request
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 1.1.0.Beta6
    • SASL
    • None

    Description

      For the OTP SASL mechanism, the stored credential needs to be updated once a guess has been verified. In the standard case, this involves updating the stored hash based on the guess and decrementing the sequence number by 1. The OTP SASL mechanism also supports OTP sequence resets, where a user provides both a guess and a new OTP password with new parameters. If verification of the guess succeeds, then the stored credential is updated based on the new password and new parameters. However, if verification of the guess succeeds but the new password/parameters are invalid, then the stored hash is updated based on the guess and the sequence number is decremented by 1, as in the non-reset case (note that SASL auth fails in this case though).

      PR #277 adds handling for a CredentialUpdateCallback in ServerAuthenticationContext. This is used to handle both the OTP sequence reset case as well as the non-reset case. Instead of manipulating the realm identity directly in the SAC callback handler, we should be able to make use of realm events so that the realm itself can handle OTP updates and resets.

      Attachments

        Issue Links

          Activity

            People

              fjuma1@redhat.com Farah Juma
              fjuma1@redhat.com Farah Juma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: