[Standards] Authorization over HTTP
aconbere at gmail.com
Thu Nov 8 17:36:56 UTC 2007
On Nov 8, 2007 4:25 AM, Tomasz Sterna <tomek at xiaoka.com> wrote:
> Dnia 07-11-2007, Śr o godzinie 15:33 -0800, anders conbere pisze:
> > Example work flow
> > ==============
> > User = user logging into a web application
> > Consumer = The Web Application
> > Service Provider = Users Jabber Server
> > Use requests access to an xmpp api from the Consumer
> > Consumer redirects the user to the Service Provider
> > The User enters their credentials into the Service Provider
> > The Service Provider posts back to the Consumer with a unique access
> > token
> > The Consumer then make the xmpp api call to the Service Provider with
> > the unique token granted to it.
> > Future request for data from the Consumer would be done with the
> > token, and provided access to the restricted api's
> If I understand correctly, what you are describing is
> OpenID authorized by XMPP.
> It is already in use. Please see http://openid.xmpp.za.net/
As far as I understand it XEP-0070 is for granting a user access to
restricted resources on a /web host/ based on if they pass
authentication with the jabber server. I'm actually interested in
working in a way somewhat backwards to that. I want to grant a web
server access to a users data on a jabber server if the jabber server
authenticates the user.
That is, I want to "authorize" the web server to act as an
"authenticated" client for the user.
And I /think/ that both 0101 and 0070 rely on a jabber browser plugin
to do the authentication over sasl.
Both of those restrictions make their use implausible on the web
today. Rather I'm proposing a purely http workflow similar to OAuth
(http://oauth.net/) that would allow anyone to tie into the jabber
resources on the web in a secure fashion, without having to pass their
credentials through an non-trusted service.
> /\_./o__ Tomasz Sterna
> (/^/(_^^' Xiaoka.com
> ._.(_.)_ XMPP: smoku at xiaoka.com
More information about the Standards