[OpenSIPS-Users] learning the realm from authentication challenges

Fri Sep 25 03:13:34 EST 2020

Good catch on Proxy-Authorization vs Proxy-Authenticate.  I think I've been
looking at this too long.  I checked the module and that's exactly what it
is.

My hope was to load the uac_auth user/pass AVPs ahead of time from a DB
based on where I knew I was sending the call, load the realm one in the
failure route based on what comes back in the header, and then fire the
uac_auth() function.  It looks like I may have to manually extract the
realm from whichever header comes in.  Not ideal, but probably workable.

- Jeff

On Thu, Sep 24, 2020 at 9:58 PM Ben Newlin <Ben.Newlin at genesys.com> wrote:

> This does not appear to be documented, but I believe uac_auth() looks
> through the AVPs configured in the UAC_AUTH module and uses the first one
> whose realm matches the challenge realm. So in order to authenticate any
> challenge, you must load all of the possible credentials into those AVPs.
>
>
>
> Ben Newlin
>
>
>
> *From: *Users <users-bounces at lists.opensips.org>
> *Date: *Thursday, September 24, 2020 at 9:53 PM
> *To: *OpenSIPS users mailling list <users at lists.opensips.org>
> *Subject: *Re: [OpenSIPS-Users] learning the realm from authentication
> challenges
>
> According to the docs, $ar provides the realm from the “Authorization” or
> “Proxy-Authorization” headers. Not from the ”Proxy-Authenticate” header,
> which is what you have.
>
>
>
> https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6
>
>
>
> Ben Newlin
>
>
>
> *From: *Users <users-bounces at lists.opensips.org>
> *Date: *Thursday, September 24, 2020 at 9:31 PM
> *To: *OpenSIPS users mailling list <users at lists.opensips.org>
> *Subject: *[OpenSIPS-Users] learning the realm from authentication
> challenges
>
> I'm trying to recover the realm of an auth challenge to OpenSIPS so I can
> respond to it with the uac_auth() function, and that requires knowing the
> realm.  The docs say that $ar
> <https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6> should
> provide that, perhaps written like $(<reply>ar) to get it in the right
> context.  I'm having some trouble getting the data.
>
> failure_route[relay_failure] {
> ...
>
>         if (t_check_status("407")) {
>                 xlog("L_NOTICE", "[1] Proxy-Authenticate:
> $(<reply>hdr(Proxy-Authenticate))\n");
>                 xlog("L_NOTICE", "[2] Auth Realm: $(<reply>ar)\n");
>
>                 xlog("L_NOTICE", "[3] Auth Realm: $ar\n");
>         }
>
> ...
>
> }
>
>
>
> The logs show:
>
> /usr/sbin/opensips[33044]: [1] Proxy-Authenticate: Digest
> realm="asterisk", nonce="5f6d42140000936ad820dbcd452e6bcd145777e458dd46dd",
> qop="auth"
> /usr/sbin/opensips[33044]: [2] Auth Realm reply: <null>
> /usr/sbin/opensips[33044]: [3] Auth Realm: <null>
>
>
>
> Is it possible to get the realm?  Is it possible to build a response with
> uac_auth() for an arbitrary authentication challenge?
>
>
>
> This is on 3.1.0~20200923~88f89e941.
>
>
>
>
>
>
>
> - Jeff
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200924/e03c709b/attachment.html>