[Standards] HTTP Authentication with XMPP (Concern over XEP-70)
Alex Jones
alex at weej.com
Thu Dec 20 20:13:52 CST 2007
On 20 Dec 2007, at 23:16, anders conbere wrote:
> On Dec 20, 2007 2:29 PM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
>> anders conbere wrote:
>>> On Dec 20, 2007 12:28 PM, Alex Jones <alex at weej.com> wrote:
>>>>
>>>> On 20 Dec 2007, at 20:18, anders conbere wrote:
>>>>
>>>>> In what I'm describing you wouldn't. The work flow is like this.
>>>>>
>>>>> 1) Site requests Authentication,
>>>>> 2) you enter your JID
>>>>> 3) site sends an http request to the jabber server requesting
>>>>> confirmation of user identity
>>>>> 4) Jabber server requests user credentials
>>>> This is the broken part, the part that can be maliciously abused.
>>>
>>> How could that be abused? You're entering credentials at the jabber
>>> server that you've already signed up for an account at. It could
>>> possibly be phished, but there are methodologies around that as
>>> well.
>>
>> I think what Alex is worried about is this flow:
>>
>> 1. Site requests authentication
>> 2. I enter your JID
>> 3. Site sends an HTTP request to your Jabber server requesting
>> confirmation of user identity
>> 4. Jabber server requests user credentials
>
> Ah I think there's some confusion here. When I say "jabber server
> requests user credentials" I really mean that it expects an http post
> with jid and password in it. In particular I would expect the html
> form and http server to both be a component of the jabber server, so
> the communication of the post happens between the jabber server and
> itself.
>
But I'm already logged on with my main XMPP client (I already
authenticated). I don't see why I should have to do it again just for
the sake of keeping everything inside a browser window. I value the re-
use of the existing infrastructure more -- and it doesn't even seem to
me that there is a compromise to be made. Besides, such a generic
mechanism could be used *outside* of a browser, e.g. asserting an
identity to a third party service like iTunes. Again, this seems to be
one of the oversights of OpenID -- it makes things difficult when you
want to forget about HTML viewers.
Your method requires that an authenticating party be using a server
that supports this mechanism. I see this as having a bigger question
mark than that which I explained about using a token. I can't imagine
a way for a user to manually achieve authentication this way, like one
could do by copying and pasting 2 numbers.
Sorry if this is incoherent, it's late :)
More information about the Standards
mailing list