This is a follow up JIRA for JBEAP-11396. Find the details and related discussion there.
When a remoting connection has configured SSL context and non-PLUS SCRAM mechanism(s) to be used, then authentication fails. The problem is, Elytron client always sets channel-binding-supported during the SCRAM negotiation.
There are 2 possible ways to resolve the problem:
- report the missing channel binding support in the mechanism to clients in a user-friendly way (e.g. with suggestion to configure the -PLUS variant on both sides client-server); The clients then know what was the problem with authentication.
- add Elytron client option to disable channel binding so non-PLUS (SCRAM) mechanisms can be used even if the SSL context is configured for the underlying remoting connection.
These 2 options are independent, so both of them can be implemented. It would be the most general way. Once the issue is resolved by choosing one of the ways, we can create a new JIRA (e.g. Feature request) for the second way - to have it covered in the future.
- is incorporated by
-
JBEAP-12265 Upgrade WildFly Elytron to 1.1.0.CR3
-
- Closed
-
-
-
- Closed
-
- is related to
-
JBEAP-12894 Add possibility to disable channel binding in Elytron clients
-
- Closed
-
-
JBEAP-12689 Elytron GS2-KRB5 SASL mechanism (non-PLUS) is allowed even if the channel binding is possible
-
- Closed
-
- relates to
-
-
- Resolved
-
-
-
- Closed
-
-
JBEAP-12232 Document how are SASL mechanisms handled when they support channel binding
-
- Closed
-
