[Standards] Authentication via XMPP (Concern over XEP-70)
Richard Dobson
richard at dobson-i.net
Wed Jan 16 13:41:22 CST 2008
> Alternative option is to define new HTTP auth scheme. This is probably
> the "right" way to go, but... it *requires* browser support, as there
> will be no backward compatible mode.
>
>
> Yet another alternative is to change protocol flow:
> 1. server sends you auth agent JID (and only this) as realm
> 2. users asks agent (via XMPP) for one-time-tokenn/password
> 3. users provides this token as HTTP auth password (leaving username blank)
> Advantages are:
> * Multiple realms supported! Just use different auth agent JID for each
> realm. And xmpp:photos at example.com is a more acceptable "abuse" of realm
> * This is pretty much like original XEP-70, but without spamming problem.
This is pretty much how XEP-0101 works, although as currently defined it
sends the token back to the HTTP server using its own auth scheme rather
than using Basic, but that could be an easy fall back method.
Richard
More information about the Standards
mailing list