The EXTERNAL mechanism is used to authenticate a user to a server based on out-of-band authentication. EXTERNAL is typically used over TLS authenticated channels. Note that in the server, you need to make sure that TLS actually authenticated the client successfully. It is normally not sufficient to use TLS, since it also supports anonymous modes.
In the client, this mechanism is always enabled, and it will send the
GSASL_AUTHZID property as the authorization name to the server,
if the property is set. If the property is not set, the empty
authorization name is sent. You need not implement a callback.
In the server, this mechanism will request the
GSASL_VALIDATE_EXTERNAL callback property to decide whether the
client is authenticated and authorized to log in. Your callback can
retrieve the GSASL_AUTHZID property to inspect the requested
authorization name from the client.