Can not login for Jids with a node containing XEP 106 characters

Openfire 3.9.3, authentication with xmpp-sasl, DIGEST-MD5. Steps to reproduce.

  1. Create a user with a node having “@” character, e.g.
  2. Connect with PSI, or Sharp.Xmpp.
  3. User is not authenticated

What both Sharp.Xmpp and PSI are sending during authentication, is of the form (decoded from base64):

username=“pgstath\”,realm=“”,nonce=“X+qNuOnBmyqNsiZV6yMbG bW/xLA1SAmwrQptTcTz”,cnonce=“A6vgWDip/fqvLYDJvydXQInj+WNHUzZn/BmjhJFS7yM=”,nc=00 000001,digest-uri=“xmpp/”,qop=auth,response=04da7eeeabe63546a270d3e1 50449784,charset=utf-8

This seems correct as far as XEP 106 is concerned.

User is authenticated with Spark but what Spark sends is this:

charset=utf-8,username=“pgstath\”,realm=“”,nonce=“HL9a4r mXyc3vAFYX3qOlWmCwgASEmVGZQuzDB8iW”,nc=00000001,cnonce=“Mat/uv8Ym3XwvE7HCccfDwH+ DMZwTOfiNQ81FTzJ”,digest-uri=“xmpp/”,maxbuf=65536,response=402170101 fb2bb5f195d620407286214,qop=auth,authzid=“pgstath\

I cannot keep from noticing the pgstath\ part. My impression is that a double backslash is wrong and not conforming to XEP 106. Is this the issue why PSI cannot connect? Is this a smack bug?


I’ve just tested it and it seems like only the DIGEST-MD5 algorithm is doing this.

I’ve tested with CRAM-MD5 and PLAIN: the username is correct here (one backslash only).

Spark is using the JDK security provider for SASL authentication, and it would surprise me, if it’s wrong.

Then, after reading through RFC 2831 - Using Digest Authentication as a SASL Mechanism I think the backslash is correct:

The backslash character ("") MAY be used as a single-character

quoting mechanism only within qdstr-val and comment constructs.

quoted-pair = “” CHAR

The value of this construct is CHAR. Note that an effect of this rule

** is that backslash must be quoted.**

(qdstr-val = username)

There seems to be still something wrong though, maybe on server side. I think Xmpp.Sharp and Psi are wrong and Spark is correct.

Well if in Sharp.Xmpp I escape the backslash, in the username part, then authentication happens correctly with Openfire. So the issue is definitely the escaped “” character.

I think it’s a bug in Xmpp.Sharp then. According to above RFC, the extra backslash is mandatory.

Thanks you two for this interesting finding. Turns out Smack’s provided SASL mechanisms, used by Android, also do not quote the backslash. SMACK-710