This articles has information related to answers to some of the issues related to cisco-vtg-token
1. Login with CISCO-VTG-TOKEN seem to crash IM & Presence 9.1
2. Authentication with CISCO-VTG-TOKEN fails for user ids containing @
Login with CISCO-VTG-TOKEN seem to crash IM & Presence 9.1
I'm trying to write an application to manager Jabber contact lists.
As far as I understand it, user contact lists for "normal" presence-enabled contacts cannot be managed using the Client Configuration Web Service but via XMPP.
So what I need to do is retrieve a one-time-password from the Client Configuration Web Service and use it to login via XMPP using the CISCO-VTG-TOKEN method.
I'm trying to do this using the Smack Java-library (Ignite Realtime: Smack API) and a custom CISCO-VTG-TOKEN client-implementation. The developer guide says the authentication information has to be put into a string in the form
userid=user@domain, NULL, token=one-time-password
and sent Base64-encoded.
If I do that, something seem to crash within the IM&Presence Server: I cannot login via Jabber (get an Error "communication failed") until I restart the server.
Has anyone seen a similar issue?
Found the cause for the issue:
My VTG-TOKEN was malformed.
The format must be userid=userid@domainNULLBYTEtoken=onetimepassword
The important thing is the 0-byte separating the userid and token part.
Without it, this malformed string causes the Cisco XCP Authentication Service to crash and restart.
With this code, it is working now:
String useridPart = "userid=" + username + "@" + serviceName;
String tokenPart = "token=" + oneTimePassword;
// Build the base64 encoded authentication string: userid=<username@domain>NULLBYTEtoken=<oneTimePassword>
byte useridPartArray = useridPart.getBytes();
byte tokenPartArray = tokenPart.getBytes();
byte separator = 0;
byte authenticationTextArray = new byte[useridPartArray.length + 1 + tokenPartArray.length];
System.arraycopy(useridPartArray, 0, authenticationTextArray, 0, useridPartArray.length);
authenticationTextArray[useridPartArray.length] = separator;
System.arraycopy(tokenPartArray, 0 , authenticationTextArray, useridPartArray.length +1, tokenPartArray.length);
String encodedAuthentication = StringUtils.encodeBase64(authenticationTextArray);
Authentication with CISCO-VTG-TOKEN fails for user ids containing @
About a year ago, I wrote a little application for Jabber contact list synchronization.
This application performs a XMPP login on behalf of the user and adds/removes contacts.
I tried to use this at another customer, but the SASL authentication failed for all users with "temporary-auth-failure". At this customer, the emailaddress is used as userid, so all usernames are firstname.lastname@example.org, and the XMPP address is email@example.com@xmpp.domain.
It seems like the authentication fails for all users with @ in their userid. I could reproduce the issue by creating a local user with no @ in the userid (authentication worked) and one with @ (failed).
I tried to replace the @ in the userid with %40, but the authentication kept failing with "tmporary-auth-failure".
Did anyone has seen this issue and found a solution?
Yes I have encountered this issue. Unfortunately this is not supported nor advised by either the XMPP standard itself or Cisco. You customer that is using the whole e-mail address for the username will have to change it to make it work for the users to be in compliance with the standard. If they are still having issues afterwards we can support it.
That being said I am fairly certain you can make it work to some degree but not fully... and like I mentioned earlier, you would not be able to get any help with it and would have to support it on your own.
on another side note just to be clear, when developers that are creating their own Jabber/XMPP servers are using is the standard. Please see some of these resources to identify some of the standard rules.
The format for a JID is...
jid = [ localpart "@" ] domainpart [ "/" resourcepart ]
It goes on to say...
The domainpart of a JID is that portion after the '@' character (if any) and before the '/' character (if any);
So if you include two @ signs, it assumes the domain is everything after the first @ sign, which is why it will not accept user@domain@otherdomain