[Standards] Authorization over HTTP

anders conbere aconbere at gmail.com
Wed Nov 7 23:33:54 UTC 2007


I've spent the last couple of months working on some projects that
attempt to utilize XMPP's roster management api's to store users trust
relationships for creating and interacting with social networks. This
is all well and good but there doesn't exit a secure means of me
passing user credentials to the jabber server to authenticate my
users, /and/ my daemons are forced to store the stession state
locally. If we consider that creating and interacting with a giant
global social network is a plausible use case for xmpp (and the user
profile xep seems to suggest that at least some people have thought
that way). Then having a way to safely authorize web clients will be
an enormous boon to developers of these networks.

Example work flow
==============

User = user logging into a web application
Consumer = The Web Application
Service Provider = Users Jabber Server

Use requests access to an xmpp api from the Consumer
Consumer redirects the user to the Service Provider
The User enters their credentials into the Service Provider
The Service Provider posts back to the Consumer with a unique access token
The Consumer then make the xmpp api call to the Service Provider with
the unique token granted to it.

Future request for data from the Consumer would be done with the
token, and provided access to the restricted api's

Problems and Pitfalls
================

The servers would need to provide HTML login forms to users
The servers would need to be able to deal with the tokens passed to
the consumers and allow acces to the users data given that.

Anyway, I've never proposed anything here, so I would love to hear
ideas, on how we can make this work, and if we can't why.

Thanks,
~ Anders



More information about the Standards mailing list