[jdev] Claims-based Authentication

Peter Saint-Andre stpeter at stpeter.im
Thu Jun 3 08:54:48 CDT 2010


On 6/3/10 7:48 AM, Jonathan Dickinson wrote:
>> Date: Thu, 3 Jun 2010 07:41:25 -0600
>> From: stpeter at stpeter.im
>> To: jdev at jabber.org
>> Subject: Re: [jdev] Claims-based Authentication
>>
>> 1. Is there a compelling use case for this?
> 
> I have seen a few devs approach the mailing list with this problem. It
> most often appears in the form "How to use OAuth".
> 
>>
>> 2. Why wouldn't the WS-* folks define a new SASL mechanism?
> 
> The problem is the XML - WSF uses XML to do the exchange, to base64-ing
> it wouldn't be the best (as per requirement from the SASL RFC). If that
> lands up being the route taken they would probably only need to reserve
> a namespace.

I don't see why we couldn't embed XML. The point about Base64-encoding
in RFC 3920 is that if you have XML character data that's content of the
<auth/> element, it needs to be Base64-encoded. But for different
authentication mechanisms we might define more elaborate approaches.
Unfortunately that might mean that the <auth/>, <challenge/>, and
<response/> elements end up having a mixed content model (ick), like this:

   R: <stream:features>
        <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
          <mechanism>EXTERNAL</mechanism>
          <mechanism>FOOBAR</mechanism>
        </mechanisms>
      </stream:features>

   I: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
            mechanism='FOOBAR'>
        <some-xml-here/>
      </auth>

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6820 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20100603/2c0c51ce/attachment-0001.bin>


More information about the JDev mailing list