[webteam] auth idea
Peter Saint-Andre
stpeter at stpeter.im
Tue Jan 29 16:06:57 CST 2008
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
Solarius wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi guys!
> What about following:
> 1. User inserts hirs JID in the webpage.
> 2. A message will be sent to user, which countains a confirmation link
> (only one message needed, then we can close the XMPP connection to the
> user).
> 3. User will click the link which has unique ID, and user will be logged in.
>
> In this method, you don't need to keep the connection open for confirmation.
>
> Comments wanted ;)
That's basically what XEP-0070 defines. The problem is, there is a spam
attack: I write a bot that inputs your JID repeatedly and you receive
hundreds of verification requests in your Jabber client. Not good.
Peter
> Peter Saint-Andre wrote:
>> Alex Jones wrote:
>>> Hi Peter
>>>
>>> On 28 Jan 2008, at 20:48, Peter Saint-Andre wrote:
>>>
>>>> At the last meeting we talked about website authentication. Here is the
>>>> general idea:
>>>>
>>>> 1. User visits www.jabber.org
>>>>
>>>> 2. There is a special authentication link, like this:
>>>>
>>>> xmpp:auth at jabber.org?message;body=token
>>>>
>>>> Where "auth at jabber.org" is the address for our special "AuthAgent".
>>>>
>>>> 3. User's Jabber client (or browser plugin?) sends XMPP message
>>>> containing token to AuthAgent.
>>>>
>>>> 4. AuthAgent receives XMPP message and passes it to Drupal, probably via
>>>> hook_auth, see:
>>>>
>>>> http://mail.jabber.org/pipermail/webteam/2007-November/000609.html
>>>>
>>>> 5. Drupal reloads page (or some fancier Ajax function happens) and logs
>>>> in the user.
>>>>
>>>> I think this is an accurate summary of the general idea, but correct me
>>>> if I'm wrong. See also this thread for related conversation:
>>>>
>>>> http://mail.jabber.org/pipermail/standards/2008-January/017472.html
>>>>
>>>> Peter
>>> Hmm, this sounds familiar! ;)
>>>
>>> I haven't read the minutes, but I take it that we'll be using some kind
>>> of secret token in the HTTP (over TLS) interaction as well, to stop
>>> anyone who is sniffing the XMPP connection (which may be unencrypted at
>>> some point) from assuming someone's identity.
>> The token would probably be an HMAC-SHA256 token, as we use for server
>> dialback. The AuthAgent would verify it based on a shared secret. That
>> should be pretty secure.
>>
>> Peter
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/webteam/attachments/20080129/900b3919/attachment-0001.bin
More information about the webteam
mailing list