[Standards-JIG] JID assigned by the server and SASL authentication

Jean-Louis Seguineau/EXC/ENG jean-louis.seguineau at antepo.com
Thu Jun 17 03:28:19 UTC 2004


David, 

I haven't found any satisfactory answer in the current draft (nor in the
previous implementation of the jabber protocol as a matter of fact) and the
example of the MSISDN authentication is one of the use cases. Any serious
enterprise IM authentication MUST support credentials that are different
from the user address.

We have long incorporated the idea that user credentials are separate from
user addressing when using the 'legacy' jabber:iq:auth by providing the
server assigned JID in the to attribute of the iq result. 

I have no pre-conceived idea on how to implement it in the current draft,
but I strongly believe XMPP is missing the point if it does not provide this
capability. What you describe below is certainly a step in the right
direction, and I support it.

Jean-Louis Seguineau
VP Engineering, Antepo, Inc. 


-----Original Message-----
Message: 6
Date: Tue, 15 Jun 2004 15:28:03 +0200
From: "CORVOYSIER David FTRD/DMI/REN"
	<david.corvoysier at francetelecom.com>
Subject: RE : [Standards-JIG] JID assigned by the server and SASL
	authentication
To: "Jabber protocol discussion list" <standards-jig at jabber.org>
Message-ID:
	
<D2AA6DF1AEE4404F8D983B68BAC97CD29DF218 at ftrdmel3.rd.francetelecom.fr>
Content-Type: text/plain;	charset="us-ascii"

Thanks for the answer. 
I tried to describe the stanza flows for both use cases.

UC #1:
SASL EXTERNAL (assuming that the phone number is retrieved on a lower
level).

C >> S

<stream:stream
    xmlns='jabber:client'
    xmlns:stream='http://etherx.jabber.org/streams'
    to='example.org'
    version='1.0'>

C << S

<stream:stream
    xmlns='jabber:client'
    xmlns:stream='http://etherx.jabber.org/streams'
    id='c2s_234'
    from='example.org'
    version='1.0'>

C << S

<stream:features>
  <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
    <mechanism>DIGEST-MD5</mechanism>
    <mechanism>EXTERNAL</mechanism>
  </mechanisms>
</stream:features>

Now we are supposed to put the authzid in the initial response, that MAY
be included in the 'auth' command.
I couldn't find a description of the response containing the authzid,
but since an empty initial response is just '=', I imagine it should be
something like:

C >> S

<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
      mechanism='EXTERNAL'>authzid='alice at example.org'</auth>

Then the server checks the association between the phone number and the
provided JID.

C << S

<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

UC #2:
SASL EXTERNAL + resource binding

...

C >> S

<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'
      mechanism='EXTERNAL'>=</auth>

No authzid provided: the server retrieves the JID that is associated
with the underlying phone number.

C << S

<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>

The JID is sent back during the resource binding step.

...

C >> S

<iq type='set' id='bind_1'>
  <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
</iq>

C << S

<iq type='result' id='bind_1'>
  <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
    <jid>alice at example.org/someresource</jid>
  </bind>
</iq>

Is it what you meant or am I wrong again ?

David CORVOYSIER





More information about the Standards mailing list