[Members] signin-to-browser initial architecture proposal

jehan at zemarmot.net jehan at zemarmot.net
Wed May 2 14:45:28 UTC 2012


Hi,

I just wanted to point out an implementation of XMPP as identity 
mechanism in a website that I wrote. This is done as a Wordpress plugin 
(and I already use it quite successfully on a few Wordpress 
installations, so well that I even deactivated authentication by 
password for my user!).
http://wordpress.org/extend/plugins/xmpp-auth/

And I have to say this is a very comfortable way to log-in, very smooth 
and much more comfortable than browserID (or anything email related).
Obviously if we could have XMPP embedded in a browser, that would be 
even smoother because we would not even have to click anything (the 
browser would automatically acknowledge an auth request that was 
initiated through it).
Also that's obviously much more secure than something email based.

I also use this same plugin for comment authorization. Rather than 
asking an email (which means nothing, you can enter whatever), or 
waiting for admin verification/anti-spam, we can ask for a JID and check 
it is actually the real user JID.

There are many close usage that could be made through it in the future, 
like giving authorization to access other personal data (oauth like), 
etc.
But we would need to write the XEP for this part (I don't think having 
seen any about this, but I have not seen all!). And of course fix the 
current XEP for auth. Also we would need to display real demos (like my 
plugin!) to show something concrete and understandable to users (which 
is why I proposed once to have this plugin on xmpp.org website so that 
we could finally have easy but safe commenting there!).

Anyway all this to say I obviously agree that should be nice to push 
this on browser.
And I am happy to help with spec and code with all this if we have some 
nice project going on. :-)
I can adapt my plugin if needed to have it demo-ing on xmpp.org, I can 
even give the copyright to the XSF. I do this because I believe that's 
the way to go, not glory or whatever (anyway can one have glory with 
such thing? uhuh).

Jehan

Le 2012-05-02 23:25, Arc Riley a écrit :
> Ive had a few conversations with Dan Callahan (who was just hired by
> Mozilla to work on BrowserID) about using XMPP as an identity
> mechanism.  He seemed receptive to the idea.
>
> Personally Id like to see this go a lot further than identity but
> thered need to be a lot of work on defining a standard security model
> for allowing websites to (eg) send messages on behalf of a user,
> subscribe to pubsub nodes, use adhoc commands, etc via javascript.
>
> Id like to point out that XMPP is already getting integrated with
> browsers, but not in the way wed prefer - Google is integrating
> gTalk/Hangouts with Chrome and pushing it as a plugin to gmail/g+
> users. 



More information about the Members mailing list