[webteam] auth idea
Solarius
ville.solarius at gmail.com
Tue Jan 29 16:31:18 CST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys!
What about following:
1. User inserts hirs JID in the webpage.
2. A message will be sent to user, which countains a confirmation link
(only one message needed, then we can close the XMPP connection to the
user).
3. User will click the link which has unique ID, and user will be logged in.
In this method, you don't need to keep the connection open for confirmation.
Comments wanted ;)
Peter Saint-Andre wrote:
> Alex Jones wrote:
>> Hi Peter
>>
>> On 28 Jan 2008, at 20:48, Peter Saint-Andre wrote:
>>
>>> At the last meeting we talked about website authentication. Here is the
>>> general idea:
>>>
>>> 1. User visits www.jabber.org
>>>
>>> 2. There is a special authentication link, like this:
>>>
>>> xmpp:auth at jabber.org?message;body=token
>>>
>>> Where "auth at jabber.org" is the address for our special "AuthAgent".
>>>
>>> 3. User's Jabber client (or browser plugin?) sends XMPP message
>>> containing token to AuthAgent.
>>>
>>> 4. AuthAgent receives XMPP message and passes it to Drupal, probably via
>>> hook_auth, see:
>>>
>>> http://mail.jabber.org/pipermail/webteam/2007-November/000609.html
>>>
>>> 5. Drupal reloads page (or some fancier Ajax function happens) and logs
>>> in the user.
>>>
>>> I think this is an accurate summary of the general idea, but correct me
>>> if I'm wrong. See also this thread for related conversation:
>>>
>>> http://mail.jabber.org/pipermail/standards/2008-January/017472.html
>>>
>>> Peter
>> Hmm, this sounds familiar! ;)
>>
>> I haven't read the minutes, but I take it that we'll be using some kind
>> of secret token in the HTTP (over TLS) interaction as well, to stop
>> anyone who is sniffing the XMPP connection (which may be unencrypted at
>> some point) from assuming someone's identity.
>
> The token would probably be an HMAC-SHA256 token, as we use for server
> dialback. The AuthAgent would verify it based on a shared secret. That
> should be pretty secure.
>
> Peter
>
- --
Regards,
Solarius - http://www.solarius.name
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHn6k1jnBbTfuxhusRAmkQAJ9e36GzNhc8IY2BZwjvv26voOEOyQCeIXW0
USPLiirwSSjt10xQVQRmyDA=
=VWTv
-----END PGP SIGNATURE-----
More information about the webteam
mailing list