[jdev] Claims-based Authentication

Jonathan Dickinson jonathan at dickinsons.co.za
Fri Jun 4 02:24:17 CDT 2010



> Date: Thu, 3 Jun 2010 07:54:48 -0600
> From: stpeter at stpeter.im
> To: jdev at jabber.org
> Subject: Re: [jdev] Claims-based Authentication
> 
> On 6/3/10 7:48 AM, Jonathan Dickinson wrote:
> >> Date: Thu, 3 Jun 2010 07:41:25 -0600
> >> From: stpeter at stpeter.im
> >> To: jdev at jabber.org
> >> Subject: Re: [jdev] Claims-based Authentication
> >>
> >> [...]
> >>
> >> 2. Why wouldn't the WS-* folks define a new SASL mechanism?
> > 
> > The problem is the XML - WSF uses XML to do the exchange, to base64-ing
> > it wouldn't be the best (as per requirement from the SASL RFC). If that
> > lands up being the route taken they would probably only need to reserve
> > a namespace.
> 
> I don't see why we couldn't embed XML. The point about Base64-encoding
> in RFC 3920 is that if you have XML character data that's content of the
> <auth/> element, it needs to be Base64-encoded. But for different
> authentication mechanisms we might define more elaborate approaches.
The real cracker is you can do far more with WSF than just plain-old authentication. You can pass the user identity around etc. but I guess that's another problem for another day.
> Unfortunately that might mean that the <auth/>, <challenge/>, and
> <response/> elements end up having a mixed content model (ick), like this:
> 
>    R: <stream:features>
>         <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
>           <mechanism>EXTERNAL</mechanism>
>           <mechanism>FOOBAR</mechanism>
>         </mechanisms>
>       </stream:features>
> 
>    I: <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
>             mechanism='FOOBAR'>
>         <some-xml-here/>
>       </auth>
> 
> /psa
> 

Icky was what I thought initially as well; however it shouldn't affect systems which don't support WSF mechanisms because they would never select them. I think this is the cleanest way to do it (without resorting to even more icky base-64 encoding XML).
I will experiment and see what I come up with. Thanks for the feedback.
Slightly off topic of the XML issue - we should maybe reserve/standardize Bare JID/Full JID claims with OASIS.-- Jonathan Dickinson 		 	   		  
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20100604/1649a717/attachment.htm>


More information about the JDev mailing list