I would like to ask if there is a possibility to force the authentification mechanisms in the ejabberd config. Currently the ejabberd server is providing a list of the available, authentification mechanisms.
In the ejabberd log we can see the list:
Send XML on stream = <<"<stream:features><mechanisms
xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism>
<mechanism>X-OAUTH2</mechanism><mechanism>SCRAM-SHA-1</mechanism>
</mechanisms><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
</stream:features>">>
Some users (in our case CPEs (Routers, Set-top boxes)) are able to use the SCRAM-SHA, some of them are only able to use the PLAIN method, etc.
2021-07-20 14:42:09.763 [info]
<0.6716.0>@ejabberd_c2s:handle_auth_success:432 (tls|<0.6716.0>) Accepted
c2s SCRAM-SHA-1 authentication for acs01@test.ejabberd.com by sql backend
from 192.168.0.1
2021-07-20 14:42:31.765 [info]
<0.6721.0>@ejabberd_c2s:handle_auth_success:432 (tcp|<0.6721.0>) Accepted
c2s PLAIN authentication for 00b052101005@test.ejabberd.com by sql backend
from 88.229.19.19
2021-07-20 14:42:36.438 [info]
<0.6722.0>@ejabberd_c2s:handle_auth_success:432 (tcp|<0.6722.0>) Accepted
c2s SCRAM-SHA-1 authentication for 001565a36103@test.ejabberd.com by sql
backend from 103.217.240.30
Is it possible to force the xmpp server to offer only one method?
You can disable SASL mechanisms using https://docs.ejabberd.im/admin/configuration/toplevel/#disable-sasl-mechanisms
For the other methods, looking at the source code they are automatically enabled/disabled: https://github.com/processone/ejabberd/blob/8afc320aba7bdb51f7a76973be2d9cbf200c6310/src/ejabberd_c2s.erl#L376
Of course, you can simply delete there the lines you don't want at all, recompile and install.