Authen::SCRAM::Server - RFC 5802 SCRAM Server
version 0.011
use Authen::SCRAM::Server;
use Try::Tiny;
$server = Authen::SCRAM::Server->new(
credential_cb => \&get_credentials,
);
$username = try {
# get client-first-message
$server_first = $server->first_msg( $client_first );
# send to client and get client-final-message
$server_final = $server->final_msg( $client_final );
# send to client
return $server->authorization_id; # returns valid username
}
catch {
die "Authentication failed!"
};
This module implements the server-side SCRAM algorithm.
Authen::SCRAM::Server - RFC 5802 SCRAM Server
version 0.011
This attribute must contain a code reference that takes a username (as a
character string normalized by SASLprep) and returns the four user-credential
parameters required by SCRAM: salt, StoredKey, ServerKey, and
iteration count. The salt, StoredKey and ServerKey must be
provided as octets (i.e. NOT base64 encoded).
If the username is unknown, it should return an empty list.
($salt, $stored_key, $server_key, $iterations) =
$server->credential_cb->( $username );
See RFC 5802: SCRAM Algorithm Overview
for details.
If provided, this attribute must contain a code reference that takes an
authentication username and a authorization username (both as character
strings), and return a true value if the authentication username is permitted
to act as the authorization username:
$bool = $server->auth_proxy_cb->(
$authentication_user, $authorization_user
);
It will only be all called if the authentication username has successfully
authenticated. Both usernames will have been normalized via SASLprep with
any transport encoding removed before being passed to this function.
Name of a digest function available via the PBKDF2::Tiny manpage. Valid values are
SHA-1, SHA-224, SHA-256, SHA-384, or SHA-512. Defaults to SHA-1.
Size of the client-generated nonce, in bits. Defaults to 192.
The server-nonce will be appended, so the final nonce size will
be substantially larger.
A boolean that defaults to false. If set to true, usernames and passwords will
not be normalized through SASLprep. This is a deviation from the RFC5802 spec
and is not recommended.
$server_first_msg = $server->first_msg( $client_first_msg );
This takes the client-first-message received from the client and returns the
server-first-message string to be sent to the client to continue a SCRAM
session. Calling this again will reset the internal state and initiate a new
session. This will throw an exception should an error occur.
$server_final_msg = $server->final_msg( $client_final_msg );
This takes the client-final-message received from the client and returns the
server-final-message string containing the verification signature to be sent
to the client.
If an authorization identity was provided by the client, it will confirm that
the authenticating username is authorized to act as the authorization id using
the auth_proxy_cb attribute.
If the client credentials do not match or the authentication name is not
authorized to act as the authorization name, then an exception will be thrown.
$username = $client->authorization_id();
This takes no arguments and returns the authorization identity resulting from
the SCRAM exchange. This is the client-supplied authorization identity (if one
was provided and validated) or else the successfully authenticated identity.
The SCRAM protocol mandates UTF-8 interchange. However, all methods in this
module take and return character strings. You must encode to UTF-8 before
sending and decode from UTF-8 on receiving according to whatever transport
mechanism you are using.
This is done to avoid double encoding/decoding problems if your transport is
already doing UTF-8 encoding or decoding as it constructs outgoing messages or
parses incoming messages.
David Golden <dagolden@cpan.org>
This software is Copyright (c) 2014 by David Golden.
This is free software, licensed under:
The Apache License, Version 2.0, January 2004
David Golden <dagolden@cpan.org>
This software is Copyright (c) 2014 by David Golden.
This is free software, licensed under:
The Apache License, Version 2.0, January 2004
|