[Standards] Authorization over HTTP

Dave Cridland dave at cridland.net
Fri Nov 9 14:09:32 UTC 2007

On Thu Nov  8 17:49:28 2007, anders conbere wrote:
> Okay... so given that use case (and maybe this is a use case that  
> the
> xmpp foundation doesn't want to get into) the best way I can see for
> easing the task for developers is creating an authorization scheme,
> that allows me to pass of the authentication request via basic http  
> to
> the jabber server, and recieve from the server an authentication  
> token
> that I then use to contact the jabber server.

You're talking about a pawn ticket mechanism - so the user requests a  
magic key granting a third party access some portion of normally  
private data.

Could you take a look at the URLAUTH mechanism for IMAP, and see if  
this approximates your needs? This is a pretty solid mechanism, in  
deployment, and has gone through security analysis, so it's a  
reasonable one to "port" to XMPP.


1) External service provides its XMPP identity to the user, along  
with what access it requires to the user's data. (In this case, the  
roster). This would be encoded as a URL.
2) If the user agrees, the user hands this URL to their server, and  
the server hands back a "signed" version of it.
3) The service can then connect to XMPP, and use this token as  
authorization to obtain the user's data.

In Lemonade, with URLAUTH, it works similarly, although the user has  
to make up the URL. (Or rather, their client does):

1) User decides to send an email, and uploads a copy to IMAP.
2) User constructs a URL to the message, attaches the relevant stuff  
which says the submission server can access it, and hands it to the  
IMAP server to sign.
3) User then sends the signed URL via SMTP in lieu of the DATA  
command, and the submission server then uses it to both locate, and  
access, the message data for sending.

Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Standards mailing list