Yury Sobolev

I am partial to 3. It is significantly more general and seems less like a hack. Both 2 and 3 require the same change client side. Namely, we need the...

After some discussion on IRC, some problems become apparent. First of all, WAMP-SCRAM has four sequential parts: client-first, server-first, client-last, server-last. The client authenticates to the server in client-last, and...

SASL RFC: http://www.ietf.org/rfc/rfc4422.txt

Here is what we have so far (from IRC): ## Authentication via SCRAM first, then OTP C: HELLO (scram-totp) S: CHALLENGE (scram) C: AUTHENTICATE (client-first) S: CHALLENGE (server-first) C: AUTHENTICATE...

PAM has other nice features such as 'sufficient', 'binding', 'requisite', and 'required' modules. For example, if a 'sufficient' module succeeds and no previous modules have failed, it returns immediately. This...

@oberstet Hm... I see your point. I think you are right, `cookie-scram-totp` should be all 3. Right now the crossbar router loops over available auth methods and picks the first...

@Paranaix This is true. I take it back. Restarting the auth process is actually reasonable. This is what I current do.

OK, so maybe both of these approaches is reasonable. Option A: The client tries `[cookie]` and if that fails (producing a message "Expired cookie."), tries `[scram-totp, cert]` meaning it is...

Ah, neat. I did not realize there was true transport level authentication. I guess replace all instances of `cookie` with `plain` or something in my comment above (and lose the...