[jdev] oAuth equivalent for for XMPP?

Simon Wilkinson sxw at inf.ed.ac.uk
Mon Dec 13 05:50:20 CST 2010

On 13 Dec 2010, at 11:46, Simon Tennant (buddycloud) wrote:

> On 13/12/2010 12:39, Christoph Terwelp wrote:
>> XEP-0070 doesn't solve this problem because it only handles  
>> authentication of a client to a server. Here a authentication at  
>> the xmpp server itself is required but without showing the users id  
>> and password to an intermediate web server. Something similar is  
>> done for example in "Remember the milk" where you can manage  
>> external websites and clients and their access rights to your  
>> account.
> Right - it's the intermediate websites asking for users' password  
> that worries me.
> I'm not so keen on $RANDOM-WEBSITE asking for buddycloud user's  
> passwords. But I see no solution.

The Enterprise SSO market has a number of solutions for this problem.  
Systems like Cosign, WebAuth and Shibboleth allow credentials to be  
entered at a single, secure location, and then redirect the user back  
to the intermediate website.


More information about the JDev mailing list