[jdev] Login with SASL credentials unrelated to domain username
norman at rasmussen.co.za
Sun Nov 15 12:46:25 CST 2009
DIGEST-MD5 (and so some degree GSSAPI), allows you to authenticate with
separate credentials from the account you're authorizing to.
So it's 100% valid in the XMPP world to login into the joe at example.com xmpp
account using a username of bob and bob's password.
On Sun, Nov 15, 2009 at 4:01 AM, Aaron Kryptokos <
aaronkryptokos6 at aaronwl.com> wrote:
> I'm working on an XMPP server im interface to a closed user community.
> Currently, users can only participate in conversations through the community
> software, which can be inconvenient if communication with contacts is all
> that is desired. However, I'm having some trouble mapping XMPP-style
> authentication into our authentication scheme.
> In our system, the client's public username at our domain has no particular
> relationship to their private authentication identity. That is, the
> username portion of username at domain does not match the SASL authcid.
> The problem is that all of the XMPP-based IM clients that I looked at
> typically ask only two questions:
> What is your JID?
> What is your password?
> Some ask for username separately from domain, and many allow a server
> hostname other than the domain, but none (that I tried) seem to allow an
> authentication username that differs from the JID username. The net effect
> is that the client's idea of what its JID is is incorrect.
> The reason I think that this type of scheme is reasonable is that it works
> just fine with software for other standard messaging protocols, such as
> SMTP, IMAP, and POP3. In those protocols, the authentication credentials
> provided at login (with SASL or otherwise) have no particular relationship
> with the email address. For instance, it's totally trivial to set up any
> mail client to authenticate with the IMAP and SMTP servers as 'bob' but send
> messages as 'joe at example.com.'
> I'm not totally sure what the impact of this is. Some clients seem to at
> least partially understand having their bare JID reassigned during resource
> binding, particularly those that support '
> http://www.google.com/talk/protocol/auth' (
> such as Pidgin. However, even on these clients, the JID is still usually
> displayed incorrectly in the accounts page. At the very least, this could
> cause substantial user confusion. In addition, in our system, we consider
> authentication credentials to be somewhat private information, and avoiding
> their leakage is probably a good thing.
> Have any other sites or software packages found ways to work around this
> issue? Does anyone have any advice on how to handle this situation?
> JDev mailing list
> Forum: http://www.jabberforum.org/forumdisplay.php?f=20
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev