Next: ANONYMOUS, Up: Mechanisms
The EXTERNAL mechanism is used to authenticate a user to a server based on out-of-band authentication. EXTERNAL is typically used over TLS authenticated channels. Note that in the server, you need to make sure that TLS actually authenticated the client successfully. It is normally not sufficient that TLS is used, since they also support anonymous modes.
In the client, this mechanism is always enabled, and will send the
GSASL_AUTHZID property as the authorization name to the server,
if the property is set. If the property is not set, the empty
authorization name is sent. You need not implement a callback.
In the server, this mechanism will invoke the
GSASL_VALIDATE_EXTERNAL callback to decide whether the client
is authenticated and authorized to log in. Your callback can retrieve
the GSASL_AUTHZID property to inspect the requested
authorization name from the client.