[Standards] Authorization over HTTP
dave at cridland.net
Fri Nov 9 14:09:32 UTC 2007
On Thu Nov 8 17:49:28 2007, anders conbere wrote:
> Okay... so given that use case (and maybe this is a use case that
> xmpp foundation doesn't want to get into) the best way I can see for
> easing the task for developers is creating an authorization scheme,
> that allows me to pass of the authentication request via basic http
> the jabber server, and recieve from the server an authentication
> that I then use to contact the jabber server.
You're talking about a pawn ticket mechanism - so the user requests a
magic key granting a third party access some portion of normally
Could you take a look at the URLAUTH mechanism for IMAP, and see if
this approximates your needs? This is a pretty solid mechanism, in
deployment, and has gone through security analysis, so it's a
reasonable one to "port" to XMPP.
1) External service provides its XMPP identity to the user, along
with what access it requires to the user's data. (In this case, the
roster). This would be encoded as a URL.
2) If the user agrees, the user hands this URL to their server, and
the server hands back a "signed" version of it.
3) The service can then connect to XMPP, and use this token as
authorization to obtain the user's data.
In Lemonade, with URLAUTH, it works similarly, although the user has
to make up the URL. (Or rather, their client does):
1) User decides to send an email, and uploads a copy to IMAP.
2) User constructs a URL to the message, attaches the relevant stuff
which says the submission server can access it, and hands it to the
IMAP server to sign.
3) User then sends the signed URL via SMTP in lieu of the DATA
command, and the submission server then uses it to both locate, and
access, the message data for sending.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Standards