Pure SASL

0.6.2 · active · verified Thu Apr 09

`pure-sasl` is a pure Python client-side implementation of the Simple Authentication and Security Layer (SASL) protocol. It enables Python applications to authenticate securely against servers using various SASL mechanisms like PLAIN, SCRAM-SHA-1, SCRAM-SHA-256, and GSSAPI (with an optional dependency). The current version is 0.6.2, and it maintains a moderate release cadence, with the latest update in March 2024.

Warnings

gotcha Pure-SASL is a client-side library. It provides client implementations for various SASL mechanisms but does not offer server-side SASL functionality. Users needing server-side SASL should look for alternative libraries.
Fix: Understand the library's scope and choose appropriate tools for server-side SASL needs.
gotcha The GSSAPI (Kerberos) SASL mechanism requires the separate `gssapi` Python library to be installed (e.g., `pip install gssapi`). `pure-sasl` itself does not bundle GSSAPI support and will raise an error if GSSAPI is used without the dependency.
Fix: Install `gssapi` explicitly if you intend to use the GSSAPI mechanism.
gotcha While `pure-sasl` handles the internal logic of SASL mechanisms, correct usage requires a clear understanding of the SASL challenge-response protocol. Developers must manage the network communication (sending client responses, receiving server challenges) correctly.
Fix: Familiarize yourself with the SASL protocol flow for your chosen mechanism to correctly integrate the library with your network communication layer.

Install

pip install pure-sasl Install core library

Imports

SASLClient
```
from pure_sasl.client import SASLClient
```

Quickstart

This example demonstrates how to initialize a `SASLClient` for the PLAIN mechanism and process an initial (potentially empty) server challenge. For multi-step mechanisms like SCRAM, you would repeat the `client.process()` call for subsequent server challenges and client responses until `client.complete` is true.

import os
from pure_sasl.client import SASLClient

# Retrieve credentials from environment variables or provide defaults
# In a real application, these would come from configuration or user input.
username = os.environ.get("SASL_USERNAME", "myuser")
password = os.environ.get("SASL_PASSWORD", "mypassword")

# 1. Initialize the SASL client with the desired mechanism and credentials.
# Common mechanisms: 'PLAIN', 'SCRAM-SHA-1', 'SCRAM-SHA-256'.
try:
    client = SASLClient(
        mechanism='PLAIN',
        username=username,
        password=password
    )

    print(f"SASLClient initialized for PLAIN mechanism with user: {username}")

    # 2. Process the initial challenge from the server.
    # For PLAIN, the initial challenge is typically an empty bytes string.
    # In a real network exchange, this comes from the server.
    server_challenge_1 = b''
    client_response_1 = client.process(server_challenge_1)
    print(f"Client response to initial challenge: {client_response_1!r}")

    # 3. If authentication requires more steps (e.g., SCRAM),
    # the server would send another challenge, which you'd pass to .process() again.
    # For PLAIN, the process is often complete after the first response.
    if client.complete:
        print("SASL PLAIN authentication sequence complete.")
    else:
        print("Authentication not yet complete. Awaiting further server challenges.")

except Exception as e:
    print(f"Error during SASL client operation: {e}")

view raw JSON →