[Standards] Authentication via XMPP (Concern over XEP-70)
Peter Saint-Andre
stpeter at stpeter.im
Tue Jan 8 14:14:41 CST 2008
Dave Cridland wrote:
> XEP-0070 doesn't introduce a new mechanism, in the protocol sense, it
> introduces a hack to get Basic to be used for identity assertion.
> (Actually, ownership of a jid).
I was just chatting about this with Maciek Niedzielski and he suggested
a different kind of workflow for XEP-0070-like functionality:
1. User visits www.example.com
2. The website advertises a link to an XMPP-based authorization service,
such as:
xmpp:auth at example.com?message;body=[some-unique-id-here]
(The message could also include some kind of data form or hidden content
that can't be modified by the user.)
3. User clicks the link and launchs their Jabber client
4. Jabber client sends an XMPP message to the auth service:
<message from='user at example.net' to='auth at example.com'>
<body>[some-unique-id-here]</body>
</message>
5. The website refreshes with some verification
Now the user is authorized at www.example.com (or a particular page there).
This removes the worry about someone else typing in your JID and
spamming you with XMPP messages, because you initiate the exchange (not
the website).
Thoughts?
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20080108/324c44c8/attachment.bin
More information about the Standards
mailing list