After the client and server have agreed on a protocol version, the server must verify the client's identity. The client begins by sending the following message:
USER username
username is the ODSIMS username of the person the client is representing, or, in other words, the part of the client's IM address that precedes the '@' character.
The server then responds by sending an authentication challenge to the client, which has the following form:
AUTH algorithm initialization_data
where algorithm is the well-known symbol for a particular authentication algorithm, and initialization_data is a hexadecimal string containing challenge data appropriate for the requested algorithm.
The following simple authentication algorithms are proposed:
MD5: The server sends a never-repeated data sequence (the current time, for example) which the client prepends to its own ODSIMS password. The client computes the MD5 hash of the concatenated sequence and returns it.
SHA: Same as MD5, except that the hashing algorithm is SHA.
This MD5 and SHA authentication algorithms are recommended for inclusion in all ODSIMS servers because they are simple to implement and relatively secure. Proposals for other challenge-response authentication techniques are solicited.
If the server accepts the client's response, it sends an AUTH_ACCEPTED message. Otherwise, it sends an AUTH_REJECTED message and the authentication process begins again.