KICL supports using SASL to authenticate with an IRC server. As described in the
IRCv3.1 spec, SASL allows the client to authenticate using a SASL
mechanism and the
AUTHENTICATE command. The client must have requested the
sasl capability to be able to use the
KICL's SASL support can be configured by calling the
Client#getAuthManager method which returns an
manager can be used to manage authentication protocols. For SASL, there are currently three available authentication
protocols which extend
AbstractSaslProtocol class. It's also possible to add non-SASL authentication protocols.
Protocols can be added by calling the
AuthManager#addProtocol method, for example:
client.getAuthManager().addProtocol(new SaslPlain(client, "accountname", "password"));
The three available mechanisms are described below. The server-side SASL authentication logic is almost always performed by the services package (e.g. Atheme) and these services packages may support authentication mechanisms which KICL does not. If that's the case, it should be easy enough to extend `AbstractSaslProtocol`` yourself.
Formally described in RFC 4616, the PLAIN mechanism sends an authcid (account name to login with), password and optionally an authzid (account name to impersonate) in plaintext. As mentioned in the RFC, this mechanism SHOULD NOT be used without adequate socket security. In practice, this means the PLAIN mechanism should never be used without TLS.
The authzid, authcid and password are separated by a null byte. If the authzid is omitted the null byte must still
appear at the start of the AUTHENTICATE argument. The argument is base64 encoded. To use the PLAIN mechanism with KICL,
AuthManager#addProtocol method and supply an instance of
Client client = Client.builder().nick("Kitteh").server().host("127.0.0.1").then().build(); client.getAuthManager().addProtocol(new SaslPlain(client, "Kitteh", "password"));
KICL does not currently support impersonation - this is only really applicable to services administrators in the context of IRC.
For Atheme, the EXTERNAL mechanism looks at the client's TLS certificate and checks to see if the fingerprint has been associated with a services account. The client will become authenticated if so.
Client client = Client.builder().nick("Kitteh").server().host("127.0.0.1").secureKeyCertChain(null).secureKey(null).then().build();; client.getAuthManager().addProtocol(new SaslExternal(client));
See the TLS docs for more information on the
This mechanism uses an elliptic curve keypair and a challenge from the server, which the client signs. The result is sent to the server and checked against the public key stored with the NickServ account. If the signature is valid, the user is logged in to their account.
Please see the specific docs for this mechanism for more information.