On 25.01.23 14:22, Alan DeKok wrote:
What I'm not clear on is how they would negotiate a special username which triggers a new auth, but without doing a password check. That seems odd to me.
No negotiation required. It gets the username as part of basic auth, sees the name and then makes a decision to initiate a new inner method. Imagine two groups of usernames on a server: one that use basic auth and another that has 2FA, where the 2FA is invoked in an EAP method. This may not be the BEST method (you could probably think of better), but TEAP doesn't say you can't do it (perhaps we're here because TEAP doesn't forbid enough stuff ;-)
Eliot _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
