Next: The ANONYMOUS mechanism, Up: Mechanisms [Contents][Index]
The EXTERNAL mechanism is used to authenticate a user to a server based on out-of-band authentication. EXTERNAL is typically used over TLS authenticated channels. Note that in the server, you need to make sure that TLS actually authenticated the client successfully and that the negotiated ciphersuite and other parameters are acceptable. It is generally not sufficient that TLS is used, since TLS supports anonymous and other variants that generally provide less assurance than you normally want.
In the client, this mechanism is always enabled, and it will send the
GSASL_AUTHZID property as the authorization name to the server,
if the property is set. If the property is not set, an empty
authorization name is sent. You need not implement a callback.
In the server, this mechanism will request the
GSASL_VALIDATE_EXTERNAL callback property to decide whether the
client is authenticated and authorized to log in. Your callback can
retrieve the GSASL_AUTHZID property to inspect the requested
authorization name from the client.
The EXTERNAL mechanism was initially specified in the core SASL framework RFC 2222 and later revised in RFC 4422.