[Standards] Authentication via XMPP (Concern over XEP-70)
Peter Saint-Andre
stpeter at stpeter.im
Thu Jan 17 13:04:04 CST 2008
Maciek Niedzielski wrote:
> Yet another alternative is to change protocol flow:
> 1. server sends you auth agent JID (and only this) as realm
> 2. users asks agent (via XMPP) for one-time-tokenn/password
> 3. users provides this token as HTTP auth password (leaving username blank)
> Advantages are:
> * Multiple realms supported! Just use different auth agent JID for each
> realm. And xmpp:photos at example.com is a more acceptable "abuse" of realm
> * This is pretty much like original XEP-70, but without spamming problem.
I think that is worth pursuing.
How does the browser know what to do with a realm that is an XMPP URI?
Is there a browser plugin that passes that off to a Jabber client so it
can send the token request to the agent?
> Now of course we could use the same protocol flow for authentication
> based on HTML forms (instead of HTTP-headers):
> 1. website displays agent JID (may be clickable)
> 2. user asks agent for a token
> (these two steps could be automated like before:
> xmpp:agent at example.com?message;body=give_me_token) and agent sends it
> back in a message
> 3. user does copy/paste and logs is.
>
> Honestly, this was my initial idea. But then I thought: if I replaced
> "give me token" with "give me token, my session id is 1234", then server
> could proceed with authentication without user pasting the token back to
> the browser.
The copy+paste thing does slow it all down. But if your browser plugin
is Jabber-enabled then you don't need to involve an IM client, right?
>> Is someone working on the XEP? If not, then I would start writing a
>> draft, but I think I need some help.
>
> My draft of this Informational Tip-of-the-Day XEP would be:
> To bind XMPP identity to HTTP "session"(*), display a opaque token on
> your site and ask visitor to send it to you via XMPP, using his/her
> desired JID. End ;)
Heh.
> (* - I know that there is no such thing as HTTP session, but somehow it
> works in "real life")
>
> Of course, if we want a solution that may be automated, adding <link
> rel="xmppauth">, etc could help.
Sure, that auto-discovery stuff is always good.
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/standards/attachments/20080117/7637eb29/attachment-0001.bin
More information about the Standards
mailing list