<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>how funny. I think that BW runs internally opensips :-)</p>
<p>Bogdan surely knows. <br>
</p>
<div class="moz-cite-prefix">On 25/09/2020 16:13, Jeff Pyle wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPhW+0LwS7Z20aY+9xvNvZkkQYvBvfSP99ZoVxex+7tqbBihWQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Johan,
<div> I will definitely try that. Thank you!
<div>
<div><br>
</div>
<div>Ben, </div>
<div> The problem is I have multiple destinations with the
same realm. In my case, several different Broadworks app
servers. I haven't checked them exhaustively but I think
they all reply with realm="BroadWorks" in their
authentication headers. I've got some Asterisk boxes in
here, and I think they're all the domain of the SIP
request URI in the case of an INVITE. I think I'll have
to choose ahead of time which credentials go with which
route, no? Unless I'm still not wrapping my head around
how this is supposed to work.</div>
<div><br>
</div>
<div><br>
</div>
<div>- Jeff</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Sep 25, 2020 at 9:22
AM Ben Newlin <<a href="mailto:Ben.Newlin@genesys.com"
moz-do-not-send="true">Ben.Newlin@genesys.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="overflow-wrap: break-word;" lang="EN-US">
<div class="gmail-m_-4555192254512252602WordSection1">
<p class="MsoNormal">Jeff,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">My point was that the uac_auth() is
supposed to handle the realm matching for you. If you
simply load all of the auth data based on the call
target as you already plan to do, uac_auth() should look
through that data for you to find credentials with a
matching realm. You don’t need to do that part yourself
in the script.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben Newlin
</span></p>
<p class="MsoNormal"> </p>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span
style="font-size:12pt;color:black">From:
</span></b><span style="font-size:12pt;color:black">Users
<<a
href="mailto:users-bounces@lists.opensips.org"
target="_blank" moz-do-not-send="true">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Thursday, September 24, 2020 at 11:14
PM<br>
<b>To: </b>OpenSIPS users mailling list <<a
href="mailto:users@lists.opensips.org"
target="_blank" moz-do-not-send="true">users@lists.opensips.org</a>><br>
<b>Subject: </b>Re: [OpenSIPS-Users] learning the
realm from authentication challenges</span></p>
</div>
<div>
<p class="MsoNormal">Good catch on Proxy-Authorization
vs Proxy-Authenticate. I think I've been looking at
this too long. I checked the module and that's
exactly what it is.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">My hope was to load the uac_auth
user/pass AVPs ahead of time from a DB based on
where I knew I was sending the call, load the realm
one in the failure route based on what comes back in
the header, and then fire the uac_auth() function.
It looks like I may have to manually extract the
realm from whichever header comes in. Not ideal,
but probably workable.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">- Jeff</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Thu, Sep 24, 2020 at 9:58 PM
Ben Newlin <<a
href="mailto:Ben.Newlin@genesys.com"
target="_blank" moz-do-not-send="true">Ben.Newlin@genesys.com</a>>
wrote:</p>
</div>
<blockquote
style="border-top:none;border-right:none;border-bottom:none;border-left:1pt
solid rgb(204,204,204);padding:0in 0in 0in
6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">This does not appear to be
documented, but I believe uac_auth() looks
through the AVPs configured in the UAC_AUTH
module and uses the first one whose realm
matches the challenge realm. So in order to
authenticate any challenge, you must load all of
the possible credentials into those AVPs.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben
Newlin
</span></p>
<p class="MsoNormal"> </p>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span
style="font-size:12pt;color:black">From:
</span></b><span
style="font-size:12pt;color:black">Users
<<a
href="mailto:users-bounces@lists.opensips.org"
target="_blank" moz-do-not-send="true">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Thursday, September 24, 2020
at 9:53 PM<br>
<b>To: </b>OpenSIPS users mailling list
<<a
href="mailto:users@lists.opensips.org"
target="_blank" moz-do-not-send="true">users@lists.opensips.org</a>><br>
<b>Subject: </b>Re: [OpenSIPS-Users]
learning the realm from authentication
challenges</span></p>
</div>
<p class="MsoNormal">According to the docs, $ar
provides the realm from the “Authorization” or
“Proxy-Authorization” headers. Not from the
”Proxy-Authenticate” header, which is what you
have.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><a
href="https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6"
target="_blank" moz-do-not-send="true">https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben
Newlin
</span></p>
<p class="MsoNormal"> </p>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span
style="font-size:12pt;color:black">From:
</span></b><span
style="font-size:12pt;color:black">Users
<<a
href="mailto:users-bounces@lists.opensips.org"
target="_blank" moz-do-not-send="true">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Thursday, September 24, 2020
at 9:31 PM<br>
<b>To: </b>OpenSIPS users mailling list
<<a
href="mailto:users@lists.opensips.org"
target="_blank" moz-do-not-send="true">users@lists.opensips.org</a>><br>
<b>Subject: </b>[OpenSIPS-Users] learning
the realm from authentication challenges</span></p>
</div>
<div>
<p class="MsoNormal">I'm trying to recover the
realm of an auth challenge to OpenSIPS so I
can respond to it with the uac_auth()
function, and that requires knowing the
realm. The docs say that
<a
href="https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6"
target="_blank" moz-do-not-send="true">
$ar</a> should provide that, perhaps written
like $(<reply>ar) to get it in the right
context. I'm having some trouble getting the
data.<br>
<br>
<span
style="font-size:7.5pt;font-family:"Courier
New"">failure_route[relay_failure] {<br>
...</span></p>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Courier
New""> if
(t_check_status("407")) {<br>
xlog("L_NOTICE", "[1]
Proxy-Authenticate:
$(<reply>hdr(Proxy-Authenticate))\n");<br>
xlog("L_NOTICE", "[2] Auth
Realm: $(<reply>ar)\n");</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Courier
New"">
xlog("L_NOTICE", "[3] Auth Realm: $ar\n");<br>
}</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Courier
New"">...</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Courier
New"">}</span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">The logs show:<br>
<br>
<span
style="font-size:7.5pt;font-family:"Courier
New"">/usr/sbin/opensips[33044]: [1]
Proxy-Authenticate: Digest
realm="asterisk",
nonce="5f6d42140000936ad820dbcd452e6bcd145777e458dd46dd",
qop="auth"<br>
/usr/sbin/opensips[33044]: [2] Auth Realm
reply: <null><br>
/usr/sbin/opensips[33044]: [3] Auth Realm:
<null></span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Is it possible to get the
realm? Is it possible to build a response
with uac_auth() for an arbitrary
authentication challenge?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This is
on 3.1.0~20200923~88f89e941.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">- Jeff</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org"
target="_blank" moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a></p>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</body>
</html>