[jdev] Figuring out what a client thinks its JID is
aaronkryptokos6 at aaronwl.com
Mon Apr 5 17:01:33 CDT 2010
Nathan Fritz wrote:
> By not using the same node as the authentication user, you're going
> against two SHOULD suggestions in the RFC
I can't find anything in RFC 3920 about this case. Can you help me find
these two recommendations?
> I would recommend against doing this on a public
> service where you expect any IM client.
The authentication and authorization system already exists, so my hands
are mostly tied. I'm open to any reasonable implementation that will
make this work. The one design restriction imposed on me is that the
authenticating client must some sort of way provide the authentication
username as part of the process; mapping from the node to auth
credentials is not acceptable.
If it's true that the RFC discourages this practice, then I think the
RFC may need to be revised. For people who are running simple
stand-alone Jabber servers, this sort of thing doesn't matter. But for
organizations like mine that are trying to embrace XMPP by adding an
XMPP interface to existing infrastructure, this is a major issue. GTalk
has a variation of the same problem, except with domain instead of
username. I think the real long-term solution here is that the RFC
needs to firmly instruct clients to not make assumptions about their
JIDs, and instead accept (or reject) what they are given at resource
> are, again, in violation of the spec by delivering stanzas where the
> bare jid does not match their bound name, and you could cause
> unintended consequences on the client (crashes or strange behavior) by
> simply pinging them in this way.
I can't find any prohibition like this in RFC 3920 or the draft. Can
you point out a specific passage that prohibits this sort of probing?
> I really don't see either of these options being viable as the client
> is simply broken if it doesn't respond to it's bound fulljid and you
> risk greater consequences if you try to "adjust" at the protocol
My main goal is for a short-term, practical improvement in functionality
for as many users as possible.
As an alternative, I'm thinking about perhaps having the user do
something special to indicate that 'JID masquerading' should be
performed, such as placing a special character in their username.
Another option is to try to detect specific versions that are broken
using XEP-0092: Software Version, and apply the workaround for just
those. This would get correct operations to the largest groups of
users, and prevent breaking people whose clients were in fact operating
More information about the JDev