Next: , Up: Mechanisms

5.1 The EXTERNAL mechanism

The EXTERNAL mechanism is used to authenticate a user to a server based on out-of-band authentication. EXTERNAL is typically used over TLS authenticated channels. Note that in the server, you need to make sure that TLS actually authenticated the client successfully. It is normally not sufficient to use TLS, since it also supports anonymous modes.

In the client, this mechanism is always enabled, and it will send the GSASL_AUTHZID property as the authorization name to the server, if the property is set. If the property is not set, the empty authorization name is sent. You need not implement a callback.

In the server, this mechanism will request the GSASL_VALIDATE_EXTERNAL callback property to decide whether the client is authenticated and authorized to log in. Your callback can retrieve the GSASL_AUTHZID property to inspect the requested authorization name from the client.