<abstract>This document describes a replacement for the SASL profile documented in RFC 6120 which allows for greater extensibility.</abstract>
&LEGALNOTICE;
<number>XXXX</number>
<status>ProtoXEP</status>
<number>0388</number>
<status>Experimental</status>
<type>Standards Track</type>
<sig>Standards</sig>
<dependencies>
@ -20,6 +20,16 @@
@@ -20,6 +20,16 @@
<supersededby/>
<shortname>sasl2</shortname>
&dcridland;
<revision>
<version>0.1.0</version>
<date>2017-03-16</date>
<initials>XEP Editor (ssw)</initials>
<remark>
<ul>
<li>Move to experimental.</li>
</ul>
</remark>
</revision>
<revision>
<version>0.0.1</version>
<date>2017-02-07</date>
@ -62,10 +72,10 @@
@@ -62,10 +72,10 @@
<p>Clients, upon observing this stream feature, initiate the authentication by the use of the <authenticate/> top-level element, within the same namespace. The nature of this element is to inform the server about properties of the final stream state, as well as initiate authentication itself. To achieve the latter, it has a single mandatory attribute of "mechanism", with a string value of a mechanism name offered by the Server in the stream feature, and an optional child element of <initial-response/>, containing a base64-encoded SASL Initial Response.</p>
<p>On subsequent connections, if a Client has previously cache the stream feature, the Client MAY choose to send it before seeing the stream features - sending it "pipelined" with the Stream Open tag for example.</p>
<p>In order to provide support for other desired stream states beyond authentication, additional child elements are used. For example, a hypothetical XEP-0198 session resumption element might be included, and/or Resource Binding requests.</p>
<examplecaption="An authentication request with a (hypothetical) bind request"><![CDATA[
<p>A <continue/> element is used to indicate that while the SASL exchange was successful, it is insufficient to allow authentication at this time.</p>
@ -147,13 +157,13 @@
@@ -147,13 +157,13 @@
<mechanisms>
<text>This account requires 2FA</text>
</continue>
]]></example>
]]></example>
<p>Clients respond with a <next-authenticate/> element, which has a single mandatory attribute of "mechanism", containing the selected mechanism name, and contains an OPTIONAL base64 encoded initial response.</p>