Skip to content

Add custom authentication #1062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add custom authentication #1062

wants to merge 1 commit into from
+60 −32

Conversation

desdic
Copy link

@desdic desdic commented Oct 20, 2025

I found a lot of references to mysql_clear_password but the handling was missing

dveeden
dveeden reviewed Oct 20, 2025
View reviewed changes
server/auth.go Outdated
}

func (c *Conn) compareClearPasswordAuthData(clientAuthData []byte, credential Credential) error {
clearText := bytes.Trim(clientAuthData, "\x00")
Copy link
Collaborator

@dveeden dveeden Oct 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should be bytes.TrimRight()? What if there are multiple \x00, like in the middle of the clientAuthData?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yes fixed

lance6716
lance6716 reviewed Oct 20, 2025
View reviewed changes
Copy link
Collaborator

@lance6716 lance6716 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, I'm not sure about this option. Maybe it's not a server-side auth method, just to cooperate with other auth methods at client-side? https://dev.mysql.com/doc/refman/8.4/en/cleartext-pluggable-authentication.html

Can you provide some material about it?

@dveeden
Copy link
Collaborator

dveeden commented Oct 20, 2025

The info for this authentication method is here: https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_connection_phase_authentication_methods_clear_text_password.html
Maybe we should link this in a comment?

So the mysql_clear_password authentication with MySQL would use either LDAP, PAM or something similar on the server side, it isn't stored in the mysql.user table. However we don't have to follow that.

@dveeden
Copy link
Collaborator

dveeden commented Oct 20, 2025

This should:

  • have some tests
  • have some very visible warnings about the security of this. Both in logging and comments in the code.

This could be a basis and/or demonstration for something that can be extended to do external authentication.

@dveeden
Copy link
Collaborator

dveeden commented Oct 20, 2025

Test failures are due to a Docker outage: https://www.dockerstatus.com/

@desdic
Copy link
Author

desdic commented Oct 20, 2025
edited
Loading

This should:

  • have some tests
  • have some very visible warnings about the security of this. Both in logging and comments in the code.

This could be a basis and/or demonstration for something that can be extended to do external authentication.

Would it be better if I created an interface/struct for handling custom authentication ? so if needed one could implement the mysql_clear_password themselves or use some custom type of encryption ?

I guess what I'm trying to write is that (I'm building a proxy) and I do need the password provided since I'm just going to relay it to a backend. Is there anyway that I can optain the password/clientAuthData without make a custom type ?

@dveeden
Copy link
Collaborator

dveeden commented Oct 20, 2025

  1. Yes making it easy to do custom auth would be good.
  2. Note that with caching_sha2_password over TLS without a cached entry you also get a plaintext password. This might not be usable for you and is probably a bit too much of a hack. But this may have better/improved compatibility with clients. Just so you know.

@desdic
Copy link
Author

desdic commented Oct 20, 2025
edited
Loading

making custom auth would also be the only way for a user of this library to get clientAuthData in raw form right ?

@dveeden
Copy link
Collaborator

dveeden commented Oct 20, 2025

making customer auth would also be the only way for a user of this library to get clientAuthData in raw form right ?

Yes, that's probably correct.

@desdic
Copy link
Author

desdic commented Oct 20, 2025

making customer auth would also be the only way for a user of this library to get clientAuthData in raw form right ?

Yes, that's probably correct.

Oki I'll redo my patch to make a custom authentication then :)

@desdic
Copy link
Author

desdic commented Oct 20, 2025
edited
Loading

I haven't added any test to this yet since I wanted to check with you first if this is too invasive. But I have this running in my proxy using mysql_clear_password and then doing the authentication via the interface.

also test is failing even if I check out a fresh master

@desdic desdic force-pushed the clear branch 2 times, most recently from 62442f7 to 9f2612e Compare October 21, 2025 02:54
@desdic
Copy link
Author

desdic commented Oct 21, 2025

Oki hopefully last commit. I've added the authentication as an interface with a default one so behavior is the same as before but its possible to implement you own authentication and plugin validation

@desdic desdic changed the title Add clear text password authentication Add custom authentication Oct 21, 2025
@desdic
Copy link
Author

desdic commented Oct 22, 2025

is my latest patch better ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dveeden dveeden dveeden left review comments

@lance6716 lance6716 lance6716 left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@desdic @dveeden @lance6716