[jdev] OAuth and XMPP

Peter Saint-Andre stpeter at stpeter.im
Mon Jul 28 16:04:44 CDT 2008


Nathan Fritz wrote:
> 
> 
> On Mon, Jul 28, 2008 at 9:56 AM, Sylvain Hellegouarch <sh at defuze.org 
> <mailto:sh at defuze.org>> wrote:
> 
>     Peter Saint-Andre a écrit :
>      > Sylvain Hellegouarch wrote:
>      >> Peter Saint-Andre a écrit :
>      >>> Sylvain Hellegouarch wrote:
>      >>>> Hi all,
>      >>>>
>      >>>> Following Peter last blog note [1] and XEP-0235, I'm pleased
>     there is a
>      >>>> formal definition on how to couple OAuth with XMPP but I'm
>     somewhat
>      >>>> disconcerted by the fact that the definition is per XMPP
>     service. Why?
>      >>>> XEP-035 specifies for a few of them (PubSub, MUC and Registration)
>      >>>> but I'm
>      >>>> wondering if that wouldn't have made more sense to define a
>     service
>      >>>> on its
>      >>>> own.
>      >>> Do you mean that an XMPP server could offer a generalized OAuth
>      >>> service for use by things like pubsub components, MUC
>     components, and
>      >>> the XMPP server itself?
>      >>
>      >> Yes.
>      >
>      > Could you expand a bit on what you mean by that? I don't think
>     XEP-0235
>      > (which I'm currently updating to reflect our discussions in Portland)
>      > disallows a standalone OAuth service that's used by servers and
>      > components, but that model seems to be a bit more sophisticated and
>      > complex.
>      >
>      > /psa
>      >
>      >
> 
>     Right. I can see it would indeed make it more complex and would prevent
>     the solution to be implemented and deployed reasonnably soon.
> 
>     However I didn't mean your XEP was forbidding a standalone service,
>     perhaps a note in that spirit would make it clear that indeed you can
>     write such service.
> 
>     - Sylvain
> 
>  
> Peter and I discussed an iq packet with the oauth namespace being used 
> to establish trust for a JID permanently.  Is that still going to be 
> included as an option?

Yes, I'll add that use case in the next version of XEP-0235, but I think 
it's tangential to what Sylvain is talking about, because you could use 
the IQ exchange with a pubsub service, a MUC service, an IM server, or a 
standalone OAuth service that's used by all of the above. However I have 
no objections to standalone OAuth services, it's just that we'd need to 
define the interactions between said service and all the other services 
that might be deployed in a domain (e.g., how does the pubsub service 
check an OAuth token with the OAuth service). Those flows won't be in 
the next version of XEP-0235 but they might be in a future version, or 
in a future spec that builds on XEP-0235.

/psa


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20080728/aa6af27d/attachment-0002.bin>


More information about the JDev mailing list