What does Ejabberd authentication do?

Question

There's these external scripts here: https://docs.ejabberd.im/admin/configuration/authentication/#external-script

Which have zero documentation outside of saying "point your config file to the location of the script you wrote" and a list of examples. But there's no information on what you need to be doing in your script. I looked at some of the examples and it seems like it expects certain output to stdout. But I don't know what! Also, does the authentication work for things like user creation? My goal here is to be able to have a single Django project with Django authentication that will allow me to login to multiple different programs I have written. What exactly is the authentication doing when it uses the external script? What happens if I just simply accept all users and make a script that approves everything and everyone? What if I allow users with invalid urls? For example, they try to login with a host that isn't in the ejabberd.yml file? What if the ejabberd.yml file only has localhost and myexamplesite.com as a host and I authenticate a user from pizzahut.com? How does ejabberd handle this? What exactly does authentication mean to ejabberd?

Is what I want to do possible, without modification of the sourcecode?

Answer 1

There's these external scripts here: https://docs.ejabberd.im/admin/configuration/authentication/#external-script But there's no information on what you need to be doing in your script.

In that page there's a paragraph that says:

The details on the interface between ejabberd and the script are described in the Developers Internals section: External.

Did you follow that link? And it didn't solve any of your doubts?

What exactly is the authentication doing when it uses the external script?

ejabberd_auth_external runs extauth, which sends the corresponding query to your extauth script, and expects a reply yes/no.

What happens if I just simply accept all users and make a script that approves everything and everyone?

Well, then all registration and login attempts that pass ejabberd requirements will be succesfull. In fact, there's an example extauth script included in ejabberd that does exactly that, see https://github.com/processone/ejabberd/blob/master/examples/extauth/check_pass_null.pl

What if I allow users with invalid urls?

I don't understand what's the context of a HTTP URL in a XMPP scenario.

Do you mean an invalid JID, for example username@username@server ? ejabberd will reject account registration or login attempt using such JID long before the process flow reaches your extauth script

For example, they try to login with a host that isn't in the ejabberd.yml file?

Again, ejabberd will reject account registration or login attempt using such JID long before the process flow reaches your extauth script

What if the ejabberd.yml file only has localhost and myexamplesite.com as a host and I authenticate a user from pizzahut.com?

A client may TRY to authenticate, but ejabberd immediately rejects it with a stream-error host-unknown; your extauth script is not even called. Try using check_pass_null.pl, that extauth script accepts everything, but ejabberd does not.

How does ejabberd handle this?

As explained before, which makes sense to me, after reading the documentation at https://docs.ejabberd.im/developer/guide/#external

What exactly does authentication mean to ejabberd?

Wht exactly do you mean?

Is what I want to do possible, without modification of the sourcecode?

If you have a custom database, that feature is possible as long as you write an extauth script that uses your custom database.

By the way, once you write your script, if it is brand new (and not a small customization of the existing ones), I guess you will publish it somewhere, so other Django admins can benefit from your work, right?

PD: https://github.com/processone/ejabberd/discussions/3760