[jdev] oAuth equivalent for for XMPP?

Simon Tennant (buddycloud) simon at buddycloud.com
Sat Dec 11 04:31:02 CST 2010

Recently I have been working with a different developers who are trying 
to build bosh-based buddycloud-channels into their own websites.

The problem is:

A user needs to log-into a website using their jid. A thrid-party 
website (eg: channels.example.com) asking for your jid and password 
(joe at gmail.com) should scare any sensible user and worry xmpp operators 
that $RANDOMWEBSITE is asking for their user's credentials.

Additionally, we also have a problem in that users need to log-in 
repeatedly to access anything that uses a BOSH connection. While one can 
debate the merits of this, users are more familiar to an experience 
where they have to reauthenticate infrequently.

So I guess the questions that arise are:

    * How do we protect against rogue websites saving your password?
      What practices are other xmpp website developers using?
    * Is there an oAuth equivalent for XMPP?
    * What best practices are websites using to save the user logging in
      repeatedly each time the BOSH connection is destroyed (leaving the


Simon Tennant

mobile: +49 17 8545 0880
office: +44 20 7043 6756
office: +49 89 4209 55854

xmpp:simon at buddycloud.com
mailto:simon at buddycloud.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20101211/ad328481/attachment.htm>

More information about the JDev mailing list