Strophe.js implements SASL (Simple Authentication and Security Layer) authentication through a pluggable mechanism system. Each mechanism extends theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/strophe/strophejs/llms.txt
Use this file to discover all available pages before exploring further.
SASLMechanism base class and is selected automatically based on priority and server capability advertisement. You can register custom mechanisms, adjust priorities, or disable built-in mechanisms entirely to fit your application’s security requirements.
SASLMechanism Base Class
TheSASLMechanism class is the abstract base from which all SASL mechanisms are derived. It defines the lifecycle hooks that Strophe.js calls during the authentication exchange. To implement a custom mechanism, extend this class and override the relevant methods.
Constructor
'SCRAM-SHA-256'). This becomes the mechname property.true if the client sends the first message in the authentication exchange without waiting for a server challenge. When true, Strophe.js calls clientChallenge() before the first onChallenge() invocation.Properties
name argument.Connection instance. Set by onStart() and cleared by both onSuccess() and onFailure(). Prefixed with _ to indicate it is managed internally.Methods
test(_connection): boolean
test(_connection): boolean
false to disable the mechanism entirely or conditionally based on connection state.true. Override this method to add conditional logic — for example, requiring that authcid is set:test to return false on its prototype. See the Disabling a Mechanism section below.onStart(connection): void
onStart(connection): void
this._connection.this._connection.super.onStart(connection) to ensure _connection is set.onChallenge(_connection, _challenge?): string | Promise<string | false>
onChallenge(_connection, _challenge?): string | Promise<string | false>
undefined on the first call for non-client-first mechanisms.string for synchronous mechanisms, or a Promise<string | false> for async mechanisms such as SCRAM variants. Return false (or resolve to false) to signal an authentication failure.clientChallenge(connection): string | Promise<string | false>
clientChallenge(connection): string | Promise<string | false>
onChallenge() for the very first message when isClientFirst is true. The base implementation delegates to onChallenge(connection). SCRAM-based mechanisms override this to generate the client-first message with a nonce.onSuccess(): void
onSuccess(): void
this._connection. Override this to perform post-authentication cleanup or state management.onFailure(): void
onFailure(): void
this._connection. Override this to handle failure states or reset internal mechanism data.Built-in Mechanisms
Strophe.js ships with nine built-in SASL mechanisms. When the server advertises multiple supported mechanisms, Strophe.js selects the one with the highest priority that passes itstest() check. The default priorities from highest to lowest are:
| Mechanism | Class | Priority |
|---|---|---|
| SCRAM-SHA-512 | SASLSHA512 | 72 |
| SCRAM-SHA-384 | SASLSHA384 | 71 |
| SCRAM-SHA-256 | SASLSHA256 | 70 |
| SCRAM-SHA-1 | SASLSHA1 | 60 |
| PLAIN | SASLPlain | 50 |
| OAUTHBEARER | SASLOAuthBearer | 40 |
| X-OAUTH2 | SASLXOAuth2 | 30 |
| ANONYMOUS | SASLAnonymous | 20 |
| EXTERNAL | SASLExternal | 10 |
SASLAnonymous — ANONYMOUS (priority 20)
SASLAnonymous — ANONYMOUS (priority 20)
| Property | Value |
|---|---|
mechname | 'ANONYMOUS' |
isClientFirst | false |
priority | 20 |
test() behavior: Returns true only when connection.authcid is null, meaning no username has been supplied.SASLExternal — EXTERNAL (priority 10)
SASLExternal — EXTERNAL (priority 10)
authcid matches authzid).| Property | Value |
|---|---|
mechname | 'EXTERNAL' |
isClientFirst | true |
priority | 10 |
onChallenge() behavior: Returns connection.authzid unless authcid === authzid, in which case it returns an empty string, signalling the server should derive the identity from the certificate.SASLOAuthBearer — OAUTHBEARER (priority 40)
SASLOAuthBearer — OAUTHBEARER (priority 40)
connection.pass.| Property | Value |
|---|---|
mechname | 'OAUTHBEARER' |
isClientFirst | true |
priority | 40 |
test() behavior: Returns true when connection.pass is not null.onChallenge() behavior: Constructs the GS2 bearer token message in the format n,[a=authzid],\x01auth=Bearer <token>\x01\x01, UTF-16 to UTF-8 encoded.SASLPlain — PLAIN (priority 50)
SASLPlain — PLAIN (priority 50)
| Property | Value |
|---|---|
mechname | 'PLAIN' |
isClientFirst | true |
priority | 50 |
test() behavior: Returns true when connection.authcid is not null.onChallenge() behavior: Constructs the string [authzid]\x00authcid\x00password (omitting authzid prefix when it equals authcid@domain), then encodes it as UTF-8.SASLSHA1 — SCRAM-SHA-1 (priority 60)
SASLSHA1 — SCRAM-SHA-1 (priority 60)
| Property | Value |
|---|---|
mechname | 'SCRAM-SHA-1' |
isClientFirst | true |
priority | 60 |
test() behavior: Returns true when connection.authcid is not null.Uses the Web Crypto API (crypto.subtle) with PBKDF2 key derivation. The clientChallenge() method generates a random nonce and constructs the client-first message. The onChallenge() method processes the server challenge and returns the client-final message.SASLSHA256 — SCRAM-SHA-256 (priority 70)
SASLSHA256 — SCRAM-SHA-256 (priority 70)
| Property | Value |
|---|---|
mechname | 'SCRAM-SHA-256' |
isClientFirst | true |
priority | 70 |
test() behavior: Returns true when connection.authcid is not null.Uses crypto.subtle with 'SHA-256' and 256-bit key derivation. Provides mutual authentication — both the client verifies the server and the server verifies the client.SASLSHA384 — SCRAM-SHA-384 (priority 71)
SASLSHA384 — SCRAM-SHA-384 (priority 71)
| Property | Value |
|---|---|
mechname | 'SCRAM-SHA-384' |
isClientFirst | true |
priority | 71 |
test() behavior: Returns true when connection.authcid is not null.Uses crypto.subtle with 'SHA-384' and 384-bit key derivation via PBKDF2.SASLSHA512 — SCRAM-SHA-512 (priority 72)
SASLSHA512 — SCRAM-SHA-512 (priority 72)
| Property | Value |
|---|---|
mechname | 'SCRAM-SHA-512' |
isClientFirst | true |
priority | 72 |
test() behavior: Returns true when connection.authcid is not null.Uses crypto.subtle with 'SHA-512' and 512-bit key derivation via PBKDF2. Provides the strongest security of all built-in SCRAM variants.SASLXOAuth2 — X-OAUTH2 (priority 30)
SASLXOAuth2 — X-OAUTH2 (priority 30)
X-OAUTH2 extension mechanism. Passes an OAuth 2.0 access token as connection.pass. This is a non-standard extension primarily used with Google Talk / Google Workspace XMPP services.| Property | Value |
|---|---|
mechname | 'X-OAUTH2' |
isClientFirst | true |
priority | 30 |
test() behavior: Returns true when connection.pass is not null.onChallenge() behavior: Constructs \x00[authzid]\x00token encoded as UTF-8.OAUTHBEARER (RFC 7628) for new OAuth 2.0 integrations. X-OAUTH2 is a legacy mechanism and may not be supported by all servers.Custom Mechanisms
You can implement your own SASL mechanism by extendingSASLMechanism and passing it via the mechanisms connection option. Strophe.js will include it in mechanism selection alongside the built-ins.
Disabling a Mechanism
To permanently disable a built-in mechanism for all connections in a runtime, override itstest method to return false:
mechanisms option to provide an explicit allowlist: