19 Mar
2025
19 Mar
'25
8:46 a.m.
Hello,
I am confused about those two elements: `authorization-identity` and
`authorization-identifier`.
Are they equivalent? They seem to be used in the same context.
Grepping the XEPS repo shows both are used:
$ grep -rl authorization-identity
./xep-0484.xml
./inbox/xep-fast.xml
./inbox/sasl2.xml
./xep-0386.xml
$ grep -rl authorization-identifier
./xep-0480.xml
./inbox/xep-downgrade-prevention.xml
./inbox/xep-scram-upgrade.xml
./inbox/sasl2.xml
./xep-0198.xml
./xep-0388.xml
./xep-0474.xml
What confuses me is that they both are used in the same context, f. ex.:
"XEP-0386: Bind 2" has `authorization-identity` in successful Bind response:
https://xmpp.org/extensions/xep-0386.html#example-4
<success xmlns='urn:xmpp:sasl:2'>
<authorization-identity>user(a)example.com/AwesomeXMPP.4232f4d4
</authorization-identity>
<bound xmlns='urn:xmpp:bind:0'>
<metadata xmlns='urn:xmpp:mam:2'>
<start id='YWxwaGEg' timestamp='2008-08-22T21:09:04Z' />
<end id='b21lZ2Eg' timestamp='2020-04-20T14:34:21Z' />
</metadata>
</bound>
</success>
But "XEP-0388: Extensible SASL Profile" uses `authorization-identifier`
https://xmpp.org/extensions/xep-0388.html#example-7
<success xmlns='urn:xmpp:sasl:2'>
<!-- Base64 of: 'v=msVHs/BzIOHDqXeVH7EmmDu9id8=' -->
<additional-data>
dj1tc1ZIcy9CeklPSERxWGVWSDdFbW1EdTlpZDg9
</additional-data>
<authorization-identifier>user(a)example.org</authorization-identifier>
</success>
Is it valid to use `authorization-identifier` in all those cases?
What about other XEPS that use `authorization-identity` f. ex.
"XEP-0484: Fast Authentication Streamlining Tokens" ?
https://xmpp.org/extensions/xep-0484.html#example-3
It seems that clients need to expect both variants anyway.
I am hoping for some advice or clarification, maybe I have missed something.
Thanks,
Andrzej
--
*Come see us at: *Alchemy Conf 2-3 Apr | ElixirConf EU 15-16 May | Code
BEAM Lite Stockholm 2 Jun | Lambda Days 12-13 Jun | *Learn more >>
<https://www.erlang-solutions.com/events/>*
Erlang Solutions cares about
your data and privacy;
please find all details about the basis for
communicating with you and the way we
process your data in our Privacy
Policy. <https://www.erlang-solutions.com/privacy-policy.html> You can
update your email preferences or unsubscribe from all lists here.
<https://forms.erlangsolutions.com/email-preference?epc_hash=pZxDpeyjOBLTF6PHvHhRqcHgo7EMrP5UyVBVmFrgF3g>
19 Mar
19 Mar
10:12 a.m.
On Wed, 19 Mar 2025 at 15:53, Andrzej Telezynski
<andrzej.telezynski(a)erlang-solutions.com> wrote:
Hello,
I am confused about those two elements: `authorization-identity` and
`authorization-identifier`.
Are they equivalent? They seem to be used in the same context.
Ha, lots of fun. I think the correct one is
<authorization-identifier/>. It's in XEP-0388 which is the official
definition of the urn:xmpp:sasl:2 namespace. I confirmed it's also
what Prosody is using, and lots of client implementations were
developed against Prosody.
The SASL RFC ( https://www.rfc-editor.org/rfc/rfc4422 ) uses the term
"authorization identity" (the term "authorization identifier" does
not
appear), so I guess that's how the "wrong" term slipped in by mistake,
and probably got copied into the later XEPs.
Grepping the XEPS repo shows both are used:
$ grep -rl authorization-identity
./xep-0484.xml
./inbox/xep-fast.xml
./inbox/sasl2.xml
./xep-0386.xml
$ grep -rl authorization-identifier
./xep-0480.xml
./inbox/xep-downgrade-prevention.xml
./inbox/xep-scram-upgrade.xml
./inbox/sasl2.xml
./xep-0198.xml
./xep-0388.xml
./xep-0474.xml
What confuses me is that they both are used in the same context, f. ex.:
"XEP-0386: Bind 2" has `authorization-identity` in successful Bind response:
https://xmpp.org/extensions/xep-0386.html#example-4
<success xmlns='urn:xmpp:sasl:2'>
<authorization-identity>user(a)example.com/AwesomeXMPP.4232f4d4</authorization-identity>
<bound xmlns='urn:xmpp:bind:0'>
<metadata xmlns='urn:xmpp:mam:2'>
<start id='YWxwaGEg' timestamp='2008-08-22T21:09:04Z' />
<end id='b21lZ2Eg' timestamp='2020-04-20T14:34:21Z' />
</metadata>
</bound>
</success>
But "XEP-0388: Extensible SASL Profile" uses `authorization-identifier`
https://xmpp.org/extensions/xep-0388.html#example-7
<success xmlns='urn:xmpp:sasl:2'>
<!-- Base64 of: 'v=msVHs/BzIOHDqXeVH7EmmDu9id8=' -->
<additional-data>
dj1tc1ZIcy9CeklPSERxWGVWSDdFbW1EdTlpZDg9
</additional-data>
<authorization-identifier>user(a)example.org</authorization-identifier>
</success>
Is it valid to use `authorization-identifier` in all those cases?
What about other XEPS that use `authorization-identity` f. ex.
"XEP-0484: Fast Authentication Streamlining Tokens" ?
https://xmpp.org/extensions/xep-0484.html#example-3
It seems that clients need to expect both variants anyway.
It's a mistake in the XEPs, they shouldn't be contradicting each
other. XEP-0388 defines the urn:xmpp:sasl:2 namespace and it defines
only <authorization-identifier/>.
The only XEPs containing 'authorization-identity' are XEP-0386 and
XEP-0484, and I worked on both of those, so apologies! I'll make sure
they get fixed.
Maybe if we ever bump the sasl:2 namespace we can change the element
name to match the SASL RFC's original terminology though :)
Regards,
Matthew
20 Mar
20 Mar
2:56 a.m.
On Wed, Mar 19, 2025 at 6:12 PM Matthew Wild <mwild1(a)gmail.com> wrote:
I think the correct one is
<authorization-identifier/>. It's in XEP-0388 which is the official
definition of the urn:xmpp:sasl:2 namespace. I confirmed it's also
what Prosody is using, and lots of client implementations were
developed against Prosody.
Thanks for clarification!
So <authorization-identifier/> it is.
Regards,
Andrzej
--
*Come see us at: *Alchemy Conf 2-3 Apr | ElixirConf EU 15-16 May | Code
BEAM Lite Stockholm 2 Jun | Lambda Days 12-13 Jun | *Learn more >>
<https://www.erlang-solutions.com/events/>*
Erlang Solutions cares about
your data and privacy;
please find all details about the basis for
communicating with you and the way we
process your data in our Privacy
Policy. <https://www.erlang-solutions.com/privacy-policy.html> You can
update your email preferences or unsubscribe from all lists here.
<https://forms.erlangsolutions.com/email-preference?epc_hash=pZxDpeyjOBLTF6PHvHhRqcHgo7EMrP5UyVBVmFrgF3g>
31 Mar
31 Mar
7:12 a.m.
On Wed, 19 Mar 2025 at 17:12, Matthew Wild <mwild1(a)gmail.com> wrote:
Yeah, it's not ideal, but I think we're stuck with it.
Strictly speaking, I think I'm sort of right in as much as an identifier is
a name, whereas the identity is something more abstract. RFC 4422 does use
the term "authorization identity string", which is what
"authorization-identifier" is. <authorization-identity-string/> is really
getting a little too verbose - be glad it wasn't <authz-id-string/>, which
would match the ABNF.
On Wed, 19 Mar 2025 at 15:53, Andrzej Telezynski
<andrzej.telezynski(a)erlang-solutions.com> wrote:
Whoops. Sorry.
Hello,
I am confused about those two elements: `authorization-identity` and
`authorization-identifier`.
Are they equivalent? They seem to be used in the
same context.
Ha, lots of fun. I think the correct one is
<authorization-identifier/>. It's in XEP-0388 which is the official
definition of the urn:xmpp:sasl:2 namespace. I confirmed it's also
what Prosody is using, and lots of client implementations were
developed against Prosody.
The SASL RFC (https://www.rfc-editor.org/rfc/rfc4422 ) uses the term
"authorization identity" (the term "authorization identifier" does
not
appear), so I guess that's how the "wrong" term slipped in by mistake,
and probably got copied into the later XEPs.
Grepping the
XEPS repo shows both are used:
$ grep -rl authorization-identity
./xep-0484.xml
./inbox/xep-fast.xml
./inbox/sasl2.xml
./xep-0386.xml
$ grep -rl authorization-identifier
./xep-0480.xml
./inbox/xep-downgrade-prevention.xml
./inbox/xep-scram-upgrade.xml
./inbox/sasl2.xml
./xep-0198.xml
./xep-0388.xml
./xep-0474.xml
What confuses me is that they both are used in the same context, f. ex.:
"XEP-0386: Bind 2" has `authorization-identity` in successful Bind
response:
https://xmpp.org/extensions/xep-0386.html#example-4
<success xmlns='urn:xmpp:sasl:2'>
<authorization-identity>user(a)example.com/AwesomeXMPP.4232f4d4
</authorization-identity>
<bound xmlns='urn:xmpp:bind:0'>
<metadata xmlns='urn:xmpp:mam:2'>
<start id='YWxwaGEg' timestamp='2008-08-22T21:09:04Z' />
<end id='b21lZ2Eg' timestamp='2020-04-20T14:34:21Z' />
</metadata>
</bound>
</success>
But "XEP-0388: Extensible SASL Profile" uses `authorization-identifier`
https://xmpp.org/extensions/xep-0388.html#example-7
<success xmlns='urn:xmpp:sasl:2'>
<!-- Base64 of: 'v=msVHs/BzIOHDqXeVH7EmmDu9id8=' -->
<additional-data>
dj1tc1ZIcy9CeklPSERxWGVWSDdFbW1EdTlpZDg9
</additional-data>
<authorization-identifier>user(a)example.org</authorization-identifier>
</success>
Is it valid to use `authorization-identifier` in all those cases?
What about other XEPS that use `authorization-identity` f. ex.
"XEP-0484: Fast Authentication Streamlining Tokens" ?
https://xmpp.org/extensions/xep-0484.html#example-3
It seems that clients need to expect both variants anyway.
It's a mistake in the XEPs, they shouldn't be contradicting each
other. XEP-0388 defines the urn:xmpp:sasl:2 namespace and it defines
only <authorization-identifier/>.
The only XEPs containing 'authorization-identity' are XEP-0386 and
XEP-0484, and I worked on both of those, so apologies! I'll make sure
they get fixed.
Maybe if we ever bump the sasl:2 namespace we can change the element
name to match the SASL RFC's original terminology though :)
Regards,
Matthew
_______________________________________________
Standards mailing list -- standards(a)xmpp.org
To unsubscribe send an email to standards-leave(a)xmpp.org
218
days inactive
230
days old
3 comments
3 participants
participants (3)
-
Andrzej Telezynski -
Dave Cridland -
Matthew Wild