19 nov 2012 kl. 15:06 skrev Andreas Granig <agra...@sipwise.com>: > Hi David, > > On 11/19/2012 02:54 PM, David J wrote: >> Is the database shared? If so maybe when they authenticate add a secure >> token to the header that the second proxy can use for auth? > > No, the DBs are explicitely NOT shared in this scenario. > >> Just a suggestion not sure if its the answer your looking for or perhaps >> I didn't understand the scenario well enough. > > Let me try to put the scenario in different words: > > If a request from a subscriber hits a server, and it doesn't contain an > Authorization header, then the server would just challenge the request. > This doesn't require any subscriber information on this server, so it > shouldn't matter whether this subscriber exists on this server or not. > > When the request comes in again, this time with an Authorization header, > the server can use the username and realm of this header to check > whether the subscriber is local or not. If it's local, it would just try > to authenticate it as usual, and if it's not, it can look up the correct > server using this auth username/realm and forward the request to the > responsible server. > > Now this second server would receive a request, which already contains > an authorization header, but it won't be able to authenticate it if the > nonce is not in sync between server1 and server2. > > So this leads to the question whether it's possible to sync the nonces > in a way that server1 challenges a request, and a different server would > be able to authenticate the subsequent request holding the > challenge-response.
If both servers have the same procedure to produce the nonce, the first server can issue the nonce and the second accept it, verify that it is a valid nonce in this cluster and do the authentication. I believe that's why we have the secret in the auth module: http://kamailio.org/docs/modules/3.3.x/modules/auth.html#auth.secret If we have two kamailios with the same auth secret, I think one can issue a challenge and the other one will first verify the nonce, then go ahead with authorization based on the other server's nonce. Before you believe in any word of what I say, wait for confirmation by one of the core developers :-) /O _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
