[standards-jig] Re: UPDATED: JEP-0078 (Non-SASL Authentication)

Peter Saint-Andre stpeter at jabber.org
Tue Feb 3 23:23:26 UTC 2004

On Tue, Feb 03, 2004 at 11:34:54AM -0600, Peter Saint-Andre wrote:
> I've updated JEP-0078 (Non-SASL Authentication) to clarify that both
> username and resource are REQUIRED for client authentication (it seems
> there was some confusion on this point). In particular, I have added 
> the following paragraph:
>    Both the username and the resource are REQUIRED for client
>    authentication using the 'jabber:iq:auth' namespace; if more 
>    flexible authentication and resource provisioning are desired, 
>    a server SHOULD implement SASL authentication and resource 
>    binding as defined in XMPP Core (e.g., to enable the server 
>    to provide the resource). The <username/> and <resource/> 
>    elements MUST be included in the IQ result returned by the 
>    server in response to the initial IQ get, and also MUST be 
>    included in the IQ set sent by the client when providing
>    authentication credentials.

Hmm, it's possible that some server implementations have extended 
iq:auth using x:data forms, and therefore don't return anything in the
IQ result other than an x:data form (yes, it's a bit odd, but nothing
inherently wrong with it, especially in the pre-SASL days). Those people
are now technically non-compliant. Does it matter? Would more nuanced
text be helpful? (E.g., change MUST to SHOULD but clearly explain why
username + resource would not be required, i.e., you've extended iq:auth
by using x:data instead.)


Peter Saint-Andre
Jabber Software Foundation

More information about the Standards mailing list