Ejabberd: Any reason to offer X-OAUTH2 for Anonymous login?
Trying to get Jitsi going on arm64, and Java/nodejs compiled fine, but it can't auth, it's setup for anonymous logins but Jitsi asks for X-OAUTH2 since ejabberd HEAD of yesterday is actually offering it too for some reason.
I've followed https://blog.jabberhead.tk/2020/03/16/install-jitsi-meet-alongside-ejabberd/
‎
So the WS messages seen in browser console are like this _(BOSH fails the same FYI)_
JITSI: <open to="jitsi.mydomain.tld" version="1.0" xmlns="urn:ietf:params:xml:ns:xmpp-framing"/>
EJABBERD: <open xmlns='urn:ietf:params:xml:ns:xmpp-framing' id='9125368708367651069' version='1.0' xml:lang='en' from='jitsi.mydomain.tld'/>
EJABBERD: <stream:features xmlns:stream='http://etherx.jabber.org/streams'><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>ANONYMOUS</mechanism><mechanism>PLAIN</mechanism><mechanism>X-OAUTH2</mechanism></mechanisms></stream:features>
JITSI: <auth mechanism="X-OAUTH2" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">AAB1bmRlZmluZWQ=</auth>
EJABBERD: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text xml:lang='en'>Invalid token</text></failure>
EJABBERD: <stream:error xmlns:stream='http://etherx.jabber.org/streams'><connection-timeout xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xml:lang='en' xmlns='urn:ietf:params:xml:ns:xmpp-streams'>Idle connection</text></stream:error>
‎But...my ejabberd config has:
host_config:
"mydomain.tld":
auth_method: sql
auth_password_format: scram
"jitsi.mydomain.tld":
auth_method: anonymous
allow_multiple_connections: true
anonymous_protocol: both
Luckily @weiss told me how to globally disable this auth type that my server is not actually using since there was no info in the docs.
licaon-kter
All 8 comments
Hi,
Since doc was updated, should we close this ticket ? Anything else to do ?
mremond
on 6 Apr 2020
I guess the question was whether it makes sense to ever let ejabberd offer X-OAUTH2 for anon domains (esp. by default).
weiss
on 6 Apr 2020
Probably not then.
mremond
on 6 Apr 2020
Something like this?
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index f533fbed3..4318c7c7e 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -386,7 +386,7 @@ sasl_mechanisms(Mechs, #{lserver := LServer} = State) ->
(<<"DIGEST-MD5">>) -> Type == plain;
(<<"SCRAM-SHA-1">>) -> Type /= external;
(<<"PLAIN">>) -> true;
- (<<"X-OAUTH2">>) -> true;
+ (<<"X-OAUTH2">>) -> not ejabberd_auth_anonymous:allow_anonymous(LServer);
(<<"EXTERNAL">>) -> maps:get(tls_verify, State, false);
(_) -> false
end, Mechs -- Mechs1).
badlop
on 6 Apr 2020
Maybe we should only disable it if anonymous is the only mechanism to connect on that host ?
mremond
on 8 Apr 2020
@badlop your patch seems to work, thanks
licaon-kter
on 8 Apr 2020
Maybe we should only disable it if anonymous is the only mechanism to connect on that host ?
That makes sense, and this improved patch addresses it:
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 4318c7c7e..995def286 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -386,7 +386,7 @@ sasl_mechanisms(Mechs, #{lserver := LServer} = State) ->
(<<"DIGEST-MD5">>) -> Type == plain;
(<<"SCRAM-SHA-1">>) -> Type /= external;
(<<"PLAIN">>) -> true;
- (<<"X-OAUTH2">>) -> not ejabberd_auth_anonymous:allow_anonymous(LServer);
+ (<<"X-OAUTH2">>) -> [ejabberd_auth_anonymous] /= ejabberd_auth:auth_modules(LServer);
(<<"EXTERNAL">>) -> maps:get(tls_verify, State, false);
(_) -> false
end, Mechs -- Mechs1).
Any blockers?
licaon-kter
on 19 Apr 2020
Related issues
haegar
·
4Comments
ForGuru
·
4Comments
rahul-l
·
3Comments
andrew-vant
·
4Comments
kabirhaxor
·
3Comments
Most helpful comment
Something like this?