Node-xmpp and tigase authentication failure

[lloydwatkin]

I can't seem to authenticate between tigase (5.1.0) and node-xmpp (0.3.2) via digest md5. Switching to PLAIN I can log in, however I can not log in using digest-md5 (authentication failed).

Here's a gist from an authentication request. "INCOMING" and "OUTGOING" are node-xmpp console.log entries, the rest is tigase logging: https://gist.github.com/4476672

Below is a later attempt with just logging from node-xmpp and challenge/response base64 encoded.

I've had node-xmpp running ok against prosody (on ubuntu server), so I am able to get the client working itself. I can log into the XMPP server using Digest-MD5 and strophe.js (as well as other xmpp clients).

I've logged this the tigase community too as I'm aware that it could be an issue with tigase server itself.

Outgoing: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" version="1.0" to="ip-10-66-2-93">
Incoming: <stream:features xmlns:stream="http://etherx.jabber.org/streams"><ver xmlns="urn:xmpp:features:rosterver"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>CRAM-MD5</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><register xmlns="http://jabber.org/features/iq-register"/><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
Outgoing: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
Incoming: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" xmlns:stream="http://etherx.jabber.org/streams"/>
Outgoing: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" version="1.0" to="ip-10-66-2-93">
Incoming: <stream:features xmlns:stream="http://etherx.jabber.org/streams"><ver xmlns="urn:xmpp:features:rosterver"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>CRAM-MD5</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><register xmlns="http://jabber.org/features/iq-register"/><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
Outgoing: <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="DIGEST-MD5"></auth>
Incoming: <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl" xmlns:stream="http://etherx.jabber.org/streams">cmVhbG09ImlwLTEwLTY2LTItOTMiLG5vbmNlPSJxcXFHWFhSemJEN0lDcDBOMkw5L2hoZnRKZm54VVVDTDRRSldYWHNWIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNz</challenge>
Base64 decoded: realm="ip-10-66-2-93",nonce="qqqGXXRzbD7ICp0N2L9/hhftJfnxUUCL4QJWXXsV",qop="auth",charset=utf-8,algorithm=md5-sess

Outgoing: <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">dXNlcm5hbWU9InJvbWVvIixyZWFsbT0iaXAtMTAtNjYtMi05MyIsbm9uY2U9InFxcUdYWFJ6YkQ3SUNwME4yTDkvaGhmdEpmbnhVVUNMNFFKV1hYc1YiLGNub25jZT0iOTQ5ODI4OTciLG5jPSIwMDAwMDAwMSIscW9wPSJhdXRoIixkaWdlc3QtdXJpPSJ4bXBwL2lwLTEwLTY2LTItOTMiLHJlc3BvbnNlPSIwOTRjNWViN2VjOGMwN2Q1M2EwN2QwOGE3NmFkMmE5OCIsYXV0aHppZD0icm9tZW9AaXAtMTAtNjYtMi05MyIsY2hhcnNldD0idXRmLTgi</response>
Base64 decoded: username="romeo",realm="ip-10-66-2-93",nonce="qqqGXXRzbD7ICp0N2L9/hhftJfnxUUCL4QJWXXsV",cnonce="94982897",nc="00000001",qop="auth",digest-uri="xmpp/ip-10-66-2-93",response="094c5eb7ec8c07d53a07d08a76ad2a98",authzid="romeo@ip-10-66-2-93",charset="utf-8"

Incoming: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl" xmlns:stream="http://etherx.jabber.org/streams"><not-authorized/></failure>
ERROR: XMPP authentication failure

[lloydwatkin]

Here's the tigase thread http://www.tigase.org/content/issue-digest-md5-authentication-and-node-xmpp-library

[lloydwatkin]

After a bit of investigation it turns out that node-xmpp should be be passing an authorizationId unless the user is trying to act on the behalf of another. I'm going to take out the authorizationId token and see if I can get authentication working with tigase. If that works I'll test against prosody to confirm. I plan on then adding a 'actAs' option when initialising node-xmpp client and attempt authentication in this way. Would be good to get some feedback on this as I'm going (i.e. you might disagree with what has been said in Tigase forum).

RFC2120: "If the initiating entity wishes to act on behalf of another entity and the selected SASL mechanism supports transmission of an authorization identity, the initiating entity MUST provide an authorization identity during SASL negotiation. If the initiating entity does not wish to act on behalf of another entity, it MUST NOT provide an authorization identity."