<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>do this in failure_route</p>
<p><br>
</p>
<p> if (is_method("INVITE"))<br>
{<br>
# mark that auth was performed<br>
setflag(8);<br>
# trigger again the failure route<br>
t_on_failure("missed_call_registrations");<br>
if ($(<reply>hdr(Proxy-Authenticate))) <br>
{<br>
$var(raw_auth) =
$(<reply>hdr(Proxy-Authenticate));<br>
}<br>
if ($(<reply>hdr(WWW-Authenticate))) <br>
{<br>
$var(raw_auth) =
$(<reply>hdr(WWW-Authenticate));<br>
}<br>
$var(reg_start) = "/(.*?)realm=\"//g";<br>
$var(reg_end) = "/\"(.*)//g";<br>
xlog("callid=$ci:
Failure_route[missed_call_registrations]: Raw data
$var(raw_auth)");<br>
$var(raw_auth) =
$(var(raw_auth){re.subst,$var(reg_start)});<br>
$var(raw_auth) = $(var(raw_auth){re.subst,$var(reg_end)});<br>
xlog("callid=$ci:
Failure_route[missed_call_registrations]: Got realm data
$var(raw_auth)");<br>
$avp(uac_realm)=$var(raw_auth);<br>
# repeat the request with auth response this time<br>
xlog("callid=$ci:
Failure_route[missed_call_registrations]:let us send
authentication");<br>
xlog("callid=$ci:
Failure_route[missed_call_registrations]:FAILUREROUTE_STATUS40X_UACAUTHINVITE_DEBUG_VARIABLES:
AVP_UAC_REALM:$avp(uac_realm) AVP_UAC_USERNAME: $avp(uac_username)
AVP_UAC_PASSWORD:$avp(uac_password)");<br>
uac_auth();</p>
<p>}<br>
</p>
<div class="moz-cite-prefix">On 25/09/2020 05:13, Jeff Pyle wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAPhW+0L+-LrMCW516s9LDY-f5R1oHtz4sBc9-Q=U+SqnLjhKuQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Good catch on Proxy-Authorization vs
Proxy-Authenticate. I think I've been looking at this too
long. I checked the module and that's exactly what it is.
<div><br>
</div>
<div>My hope was to load the uac_auth user/pass AVPs ahead of
time from a DB based on where I knew I was sending the call,
load the realm one in the failure route based on what comes
back in the header, and then fire the uac_auth() function. It
looks like I may have to manually extract the realm from
whichever header comes in. Not ideal, but probably workable.</div>
<div><br>
</div>
<div><br>
</div>
<div>- Jeff</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Sep 24, 2020 at 9:58
PM Ben Newlin <<a href="mailto:Ben.Newlin@genesys.com"
moz-do-not-send="true">Ben.Newlin@genesys.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="overflow-wrap: break-word;" lang="EN-US">
<div class="gmail-m_-8841508296523282806WordSection1">
<p class="MsoNormal">This does not appear to be
documented, but I believe uac_auth() looks through the
AVPs configured in the UAC_AUTH module and uses the
first one whose realm matches the challenge realm. So in
order to authenticate any challenge, you must load all
of the possible credentials into those AVPs.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben Newlin
</span></p>
<p class="MsoNormal"> </p>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span
style="font-size:12pt;color:black">From:
</span></b><span style="font-size:12pt;color:black">Users
<<a
href="mailto:users-bounces@lists.opensips.org"
target="_blank" moz-do-not-send="true">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Thursday, September 24, 2020 at 9:53
PM<br>
<b>To: </b>OpenSIPS users mailling list <<a
href="mailto:users@lists.opensips.org"
target="_blank" moz-do-not-send="true">users@lists.opensips.org</a>><br>
<b>Subject: </b>Re: [OpenSIPS-Users] learning the
realm from authentication challenges</span></p>
</div>
<p class="MsoNormal">According to the docs, $ar provides
the realm from the “Authorization” or
“Proxy-Authorization” headers. Not from the
”Proxy-Authenticate” header, which is what you have.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><a
href="https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6"
target="_blank" moz-do-not-send="true">https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6</a></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="color:black">Ben Newlin
</span></p>
<p class="MsoNormal"> </p>
<div
style="border-right:none;border-bottom:none;border-left:none;border-top:1pt
solid rgb(181,196,223);padding:3pt 0in 0in">
<p class="MsoNormal" style="margin-bottom:12pt"><b><span
style="font-size:12pt;color:black">From:
</span></b><span style="font-size:12pt;color:black">Users
<<a
href="mailto:users-bounces@lists.opensips.org"
target="_blank" moz-do-not-send="true">users-bounces@lists.opensips.org</a>><br>
<b>Date: </b>Thursday, September 24, 2020 at 9:31
PM<br>
<b>To: </b>OpenSIPS users mailling list <<a
href="mailto:users@lists.opensips.org"
target="_blank" moz-do-not-send="true">users@lists.opensips.org</a>><br>
<b>Subject: </b>[OpenSIPS-Users] learning the realm
from authentication challenges</span></p>
</div>
<div>
<p class="MsoNormal">I'm trying to recover the realm of
an auth challenge to OpenSIPS so I can respond to it
with the uac_auth() function, and that requires
knowing the realm. The docs say that
<a
href="https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6"
target="_blank" moz-do-not-send="true">
$ar</a> should provide that, perhaps written like
$(<reply>ar) to get it in the right context.
I'm having some trouble getting the data.<br>
<br>
<span style="font-size:7.5pt;font-family:"Courier
New"">failure_route[relay_failure] {<br>
...</span></p>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Courier
New""> if (t_check_status("407")) {<br>
xlog("L_NOTICE", "[1]
Proxy-Authenticate:
$(<reply>hdr(Proxy-Authenticate))\n");<br>
xlog("L_NOTICE", "[2] Auth Realm:
$(<reply>ar)\n");</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Courier
New""> xlog("L_NOTICE", "[3]
Auth Realm: $ar\n");<br>
}</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Courier
New"">...</span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Courier
New"">}</span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">The logs show:<br>
<br>
<span
style="font-size:7.5pt;font-family:"Courier
New"">/usr/sbin/opensips[33044]: [1]
Proxy-Authenticate: Digest realm="asterisk",
nonce="5f6d42140000936ad820dbcd452e6bcd145777e458dd46dd",
qop="auth"<br>
/usr/sbin/opensips[33044]: [2] Auth Realm reply:
<null><br>
/usr/sbin/opensips[33044]: [3] Auth Realm:
<null></span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Is it possible to get the realm?
Is it possible to build a response with uac_auth()
for an arbitrary authentication challenge?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This is
on 3.1.0~20200923~88f89e941.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">- Jeff</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opensips.org" target="_blank"
moz-do-not-send="true">Users@lists.opensips.org</a><br>
<a
href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
</body>
</html>