File: README.txt

package info (click to toggle)
ejabberd-contrib 0.2016.09.12~dfsg0-2~bpo8%2B1
  • links: PTS, VCS
  • area: main
  • in suites: jessie-backports
  • size: 2,236 kB
  • sloc: erlang: 5,025; makefile: 46; sh: 26
file content (204 lines) | stat: -rw-r--r-- 6,732 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
 
# HTTP authentication module

## Overview

The purpose of this module is to connect with an external REST API and
delegate the authentication operations to it whenever possible. The
component must implement the API described in one of the next sections
for `ejabberd_auth_http` to work out of the box.

Thanks to ejabberd design, the user base does not have to be local and
this approach allows you to avoid user base duplication, without
having to grant access to your main backend database.

The module can be especially useful for users maintaining their own,
central user database, which is shared with other services. It fits
perfectly when client application uses custom authentication token and
ejabberd has to validate it externally.

## Configuration

### How to enable

The simplest way is to just replace default `auth_method` option in
`ejabberd.yml` with `auth_method: http`.

However, enabling the module **is not enough!** Please follow
instructions below.

### Configuration options

`ejabberd_auth_http` requires some parameters to function
properly. The following options can be set in `auth_opts` in
`ejabberd.yml`:

* `host` (mandatory, `string`) - consists of protocol, hostname (or IP) and port (optional). Examples:
  * `host: "http://localhost:12000"`
  * `host: "https://10.20.30.40"`
* `connection_pool_size` (optional, `integer`, default: 10) - the
  number of connections open to auth service
* `connection_opts` (optional, default: `[]`) - extra options for
  hackers: http://erlang.org/doc/man/gen_tcp.html#type-connect_option

* `basic_auth` (optional, default: `""`) - HTTP Basic Authentication
  in format `"username:password"`; auth service doesn't have to
  require authentication for HTTP auth to work
  
* `path_prefix` (optional, default: `"/"`) - a path prefix to be
  inserted between `host` and method name; must be terminated with `/`

Example configuration:
```
auth_method: http
auth_opts:
  host: "http://localhost:12000"
  connection_pool_size: 10
  connection_opts: []
  basic_auth: ""
  path_prefix: "/"
```

## SCRAM support

`ejabberd_auth_http` can use the SCRAM method. When SCRAM is enabled,
the passwords sent to the auth service are serialised and the same
serialised format is expected when fetching a password from the
component.

It is transparent when ejabberd is responsible for all DB operations
such as password setting, account creation etc.

The service CAN perform the (de)serialisation of SCRAM-encoded
passwords, using a format that will be described in near future in
separate document.

## Authentication service API

All GET requests include the following URL-encoded query string:
`?user=<username>&server=<domain>&pass=<password>`.

All POST requests have the following URL-encoded string in the request
body: `user=<username>&server=<domain>&pass=<password>`.

If certain method does not need a password, the value of `pass` is
**undefined**, so it shouldn't be used.

For the best integration, the return code range should not exceed the
list below:

* 500 - internal server error
* 409 - conflict
* 404 - not found
* 403 - not allowed
* 401 - not authorised
* 400 - other error, should be sent in response body
* 204 - success, no return data
* 201 - created
* 200 - success, return value in response body

Whenever the specification says "anything else", service should use
one of the codes from the list above.

Some requests consider multiple return codes a "success". It is up to
the server-side developer to pick one of the codes.

### `check_password`

* **Method:** GET
* **Type:** mandatory when SCRAM is not used
* **Return values:**
  * 200, `true` or `false` in body
  * anything else - will be treated as `false`
* **Description:** Must respond if the password is valid for user.

### `get_password`

* **Method:** GET
* **Type:** mandatory when SCRAM or DIGEST SASL mechanism is used
* **Return values:**
  * 200, password in the body
  * anything else - `get_password` will fail
* **Description:** Must return the user's password in plaintext or in the SCRAM serialised form.

### `user_exists`

* **Method:** GET
* **Type:** mandatory
* **Return values:**
  * 200, `true` or `false` in body
  * anything else - will be treated as `false`
* **Description:** Must return the information whether the user exists in DB.

### `set_password`

* **Method:** POST
* **Type:** mandatory when `mod_register` is enabled
* **Return values:**
  * 200 or 201 or 204 - success
  * anything else - will be treated as `false`
* **Description:** Must set user's password in the internal database
  to a provided value. The value should not be transformed (except for
  URL-decoding) before writing into DB.

### `remove_user`

* **Method:** POST
* **Type:** mandatory when `mod_register` is enabled
* **Return values:**
  * 200 or 201 or 204 - success
  * 404 - user does not exist
  * 403 - not allowed for some reason
  * 40X - will be treated as `bad request`
* **Description:** Removes a user account.

### `remove_user_validate`

* **Method:** POST
* **Type:** mandatory when `mod_register` is enabled
* **Return values:**
  * 200 or 201 or 204 - success
  * 404 - user does not exist
  * 403 - invalid user password or not allowed for other reason
  * 40X - will be treated as `bad request`
* **Description:** Removes a user account only if provided password is valid.

### `register`

* **Method:** POST
* **Type:** mandatory when `mod_register` is enabled
* **Return values:**
  * 201 - success
  * 409 - user already exists
  * anything else - will be treated as failure
* **Description:** Creates a user account.

## Authentication service API recipes

Below are some examples of the auth service APIs and ejabberd-side
configuration along with use cases.

### System using common, custom auth token

An Auth token is provided as a password.

* **Service implements:** `check_password`, `user_exists`
* **ejabberd config:** `auth_password format`: `plain`, `mod_register` disabled
* **Client side:** MUST NOT use `DIGEST-MD5` mechanism; use `PLAIN`

### Central database of plaintext passwords

* **Service implements:** `check_password`, `get_password`, `user_exists`
* **ejabberd config:** `auth_password_format`: `plain`, `mod_register` disabled
* **Client side:** May use any available auth method

### Central database able to process SCRAM

* **Service implements:** `get_password`, `user_exists`
* **ejabberd config:** `auth_password_format`: `scram`, `mod_register` disabled
* **Client side:** May use any available auth method

### All-included

* **Service implements:** all methods
* **ejabberd config:** `auth_password_format`: `scram` (recommended) or `plain`, `mod_register` enabled
* **Client side:** May use any available auth method