Re: [oauth] SASL mechanisms

On Tue, Jan 13, 2026 at 3:27 PM Nico Williams <nico(at)cryptonector(dot)com> wrote:
> Wait, right, how did I miss that, you're using SASL, and the mechanism
> you're using is also a GSS-API mechanism (you just don't know it, but it
> is).

I am (vaguely) aware of GS2's existence, if that's what you mean. But
I thought OAUTHBEARER explicitly avoided defining a GS2 mech [1, 2].

> So actually we're going down the second path I asked about, except
> the server doesn't have a way to pass those auth-params in this case, so
> the client just has to know how to get the token -- it has to be
> configured with an STS URI, for example, and it has to know what
> credentials it can use to authenticate (non-interactively if at all
> possible, as we want SSO) to the STS. So that's all we need. So now I
> need to read the code. I'll be back some other day.

Sounds good (though I'd still be curious to know your thoughts on the
apparent "wrong direction" of flexibility in the mechanism itself).

> SASL and GSS-API are very close you know.

It's the API part of GSSAPI that I don't like, not the mechanisms.
(Well, I guess I don't like its most popular mechanism either.)

--Jacob

[1] https://datatracker.ietf.org/doc/html/rfc7628#section-3.1:~:text=this%20document%20does%20not%20define%20one
[2] https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml