Strophe.js sends an authzid during PLAIN when not acting on behalf of another entity
Kev opened this issue · comments
Kevin Smith commented
Decoding the PLAIN exchange, Converse is sending both an authcid (authentication identity) and an authzid (authorization identity) for the same identity (although obviously the authcid is without the domain and the authzid is with). It MUST NOT do this:
If the initiating entity does not wish to act on
behalf of another entity, it MUST NOT provide an authorization
identity.
(RFC6120 6.3.8)