[Standards] Authentication via XMPP (Concern over XEP-70)

Peter Saint-Andre stpeter at stpeter.im
Wed Jan 16 09:38:55 CST 2008 

Guenther Niess wrote:
> On Tue, Jan 08, 2008 at 01:14:41PM -0700, Peter Saint-Andre wrote:
>> I was just chatting about this with Maciek Niedzielski and he suggested 
>> a different kind of workflow for XEP-0070-like functionality:
>>
>> 1. User visits www.example.com
>>
>> 2. The website advertises a link to an XMPP-based authorization service, 
>> such as:
>>
>>   xmpp:auth at example.com?message;body=[some-unique-id-here]
>>
>> (The message could also include some kind of data form or hidden content 
>> that can't be modified by the user.)

As mentioned, such things can be hacked, so ignore that comment.

> Maybe this link can have two targets, one is the XMPP URI and the other
> the requested side which needs the authentification. But I've no idea
> how to do this in a nice way.

That might simply be included in the body.

>> 3. User clicks the link and launchs their Jabber client

I should have said: "... or a jabber-enabled browser plugin."

>> 4. Jabber client sends an XMPP message to the auth service:
>>
>> <message from='user at example.net' to='auth at example.com'>
>>   <body>[some-unique-id-here]</body>
>> </message>
> 
> I think this message should also include the requested URL. This can 
> help the website to have more than one realm.

Yes that should go in the message body as well.

>> 5. The website refreshes with some verification
> 
> I'm not sure how this can be done in a nice way. My only idea is via
> javascript, but maybe it will be better to work with the HTTP protocol
> or something else (In case that at 2. one link with two targets is not
> a appropriate solution).

That's a problem for website designers. :)

>> Now the user is authorized at www.example.com (or a particular page there).
> 
> Should this workflow use the HTTP Auth method as described in the RFC 
> (basic or something else)?

Well the idea was that the site would advertise a special xmpp: URI for 
authorization, you would click that in your browser, the browser would 
hand off the URI to your Jabber client (which presumably you're using at 
the moment) or to a jabber-enabled browser plugin, and you would not 
have to be bothered with HTTP auth. This is kind of like XEP-0070 except 
the XMPP message is generated by the user, not the website (thus cutting 
down on the spam possibilities inherent in XEP-0070). But the token is 
generated by the website, so in that sense it is similar to RFC 4467:

http://www.ietf.org/rfc/rfc4467.txt

> Is someone working on the XEP? If not, then I would start writing a
> draft, but I think I need some help.

I think Maciek Niedzielski and I will work on this soon. And BTW we plan 
on deploying this system for user authentication (well, I suppose it's 
really authorization) at the new jabber.org website. So that will give 
us some practical experience with this method.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20080116/8e7d3d4e/attachment.bin

More information about the Standards mailing list