[webteam] auth idea
Alex Jones
alex at weej.com
Tue Jan 29 05:19:33 CST 2008
Hi Peter
On 28 Jan 2008, at 20:48, Peter Saint-Andre wrote:
> At the last meeting we talked about website authentication. Here is
> the
> general idea:
>
> 1. User visits www.jabber.org
>
> 2. There is a special authentication link, like this:
>
> xmpp:auth at jabber.org?message;body=token
>
> Where "auth at jabber.org" is the address for our special "AuthAgent".
>
> 3. User's Jabber client (or browser plugin?) sends XMPP message
> containing token to AuthAgent.
>
> 4. AuthAgent receives XMPP message and passes it to Drupal, probably
> via
> hook_auth, see:
>
> http://mail.jabber.org/pipermail/webteam/2007-November/000609.html
>
> 5. Drupal reloads page (or some fancier Ajax function happens) and
> logs
> in the user.
>
> I think this is an accurate summary of the general idea, but correct
> me
> if I'm wrong. See also this thread for related conversation:
>
> http://mail.jabber.org/pipermail/standards/2008-January/017472.html
>
> Peter
Hmm, this sounds familiar! ;)
I haven't read the minutes, but I take it that we'll be using some
kind of secret token in the HTTP (over TLS) interaction as well, to
stop anyone who is sniffing the XMPP connection (which may be
unencrypted at some point) from assuming someone's identity.
If not, we should. :)
Alex
More information about the webteam
mailing list