[Standards] Authentication via XMPP (Concern over XEP-70)
Peter Saint-Andre
stpeter at stpeter.im
Thu Jan 17 12:16:16 CST 2008
Richard Dobson wrote:
>> Alternative option is to define new HTTP auth scheme. This is probably
>> the "right" way to go, but... it *requires* browser support, as there
>> will be no backward compatible mode.
>>
>>
>> Yet another alternative is to change protocol flow:
>> 1. server sends you auth agent JID (and only this) as realm
>> 2. users asks agent (via XMPP) for one-time-tokenn/password
>> 3. users provides this token as HTTP auth password (leaving username
>> blank)
>> Advantages are:
>> * Multiple realms supported! Just use different auth agent JID for
>> each realm. And xmpp:photos at example.com is a more acceptable "abuse"
>> of realm
>> * This is pretty much like original XEP-70, but without spamming problem.
>
> This is pretty much how XEP-0101 works, although as currently defined it
> sends the token back to the HTTP server using its own auth scheme rather
> than using Basic, but that could be an easy fall back method.
Yeah, I think that specialized auth schemes are pretty much a non-starter...
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20080117/84879a5d/attachment.bin
More information about the Standards
mailing list