[webteam] auth idea
Peter Saint-Andre
stpeter at stpeter.im
Tue Jan 29 09:26:20 CST 2008
Alex Jones wrote:
> Hi Peter
>
> On 28 Jan 2008, at 20:48, Peter Saint-Andre wrote:
>
>> At the last meeting we talked about website authentication. Here is the
>> general idea:
>>
>> 1. User visits www.jabber.org
>>
>> 2. There is a special authentication link, like this:
>>
>> xmpp:auth at jabber.org?message;body=token
>>
>> Where "auth at jabber.org" is the address for our special "AuthAgent".
>>
>> 3. User's Jabber client (or browser plugin?) sends XMPP message
>> containing token to AuthAgent.
>>
>> 4. AuthAgent receives XMPP message and passes it to Drupal, probably via
>> hook_auth, see:
>>
>> http://mail.jabber.org/pipermail/webteam/2007-November/000609.html
>>
>> 5. Drupal reloads page (or some fancier Ajax function happens) and logs
>> in the user.
>>
>> I think this is an accurate summary of the general idea, but correct me
>> if I'm wrong. See also this thread for related conversation:
>>
>> http://mail.jabber.org/pipermail/standards/2008-January/017472.html
>>
>> Peter
>
> Hmm, this sounds familiar! ;)
>
> I haven't read the minutes, but I take it that we'll be using some kind
> of secret token in the HTTP (over TLS) interaction as well, to stop
> anyone who is sniffing the XMPP connection (which may be unencrypted at
> some point) from assuming someone's identity.
The token would probably be an HMAC-SHA256 token, as we use for server
dialback. The AuthAgent would verify it based on a shared secret. That
should be pretty secure.
Peter
--
Peter Saint-Andre
https://stpeter.im/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/webteam/attachments/20080129/12c2420e/attachment-0001.bin
More information about the webteam
mailing list