[OpenSIPS-Users] learning the realm from authentication challenges

Ben Newlin Ben.Newlin at genesys.com
Fri Sep 25 01:57:01 EST 2020 

This does not appear to be documented, but I believe uac_auth() looks through the AVPs configured in the UAC_AUTH module and uses the first one whose realm matches the challenge realm. So in order to authenticate any challenge, you must load all of the possible credentials into those AVPs.

Ben Newlin

From: Users <users-bounces at lists.opensips.org>
Date: Thursday, September 24, 2020 at 9:53 PM
To: OpenSIPS users mailling list <users at lists.opensips.org>
Subject: Re: [OpenSIPS-Users] learning the realm from authentication challenges
According to the docs, $ar provides the realm from the “Authorization” or “Proxy-Authorization” headers. Not from the ”Proxy-Authenticate” header, which is what you have.

https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6<https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6>

Ben Newlin

From: Users <users-bounces at lists.opensips.org>
Date: Thursday, September 24, 2020 at 9:31 PM
To: OpenSIPS users mailling list <users at lists.opensips.org>
Subject: [OpenSIPS-Users] learning the realm from authentication challenges
I'm trying to recover the realm of an auth challenge to OpenSIPS so I can respond to it with the uac_auth() function, and that requires knowing the realm.  The docs say that $ar<https://www.opensips.org/Documentation/Script-CoreVar-3-1#toc6> should provide that, perhaps written like $(<reply>ar) to get it in the right context.  I'm having some trouble getting the data.

failure_route[relay_failure] {
...
        if (t_check_status("407")) {
                xlog("L_NOTICE", "[1] Proxy-Authenticate: $(<reply>hdr(Proxy-Authenticate))\n");
                xlog("L_NOTICE", "[2] Auth Realm: $(<reply>ar)\n");
                xlog("L_NOTICE", "[3] Auth Realm: $ar\n");
        }
...
}

The logs show:

/usr/sbin/opensips[33044]: [1] Proxy-Authenticate: Digest realm="asterisk", nonce="5f6d42140000936ad820dbcd452e6bcd145777e458dd46dd", qop="auth"
/usr/sbin/opensips[33044]: [2] Auth Realm reply: <null>
/usr/sbin/opensips[33044]: [3] Auth Realm: <null>

Is it possible to get the realm?  Is it possible to build a response with uac_auth() for an arbitrary authentication challenge?

This is on 3.1.0~20200923~88f89e941.



- Jeff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20200925/aa55c1bb/attachment-0001.html>

More information about the Users mailing list