[Standards] BOSH patches, hopefully the last before final

Winfried Tilanus winfried at tilanus.com
Sat Feb 1 16:22:35 UTC 2014

Hash: SHA512

On 01/29/2014 01:04 PM, Christian Schudt wrote:


> The problem we then had, when users wanted to connect with BOSH,
> is that our BOSH implementation (which is the one from Openfire)
> did not return a "from" attribute, which also means that during
> SASL DIGEST-MD5 authentication the realm could not be set (which
> is expected to be the server's domain name). Consequently this 
> authentication failed.

Well, what is causing my confusion, is that in most clients you enter
your JID to identify yourself. The part before the '@' is the local
part, usually your username, the part right after it, is the domain
you want to connect to. The story of the SRV records is a way to
determine what server is actually serving that domain.

So I assume you know your domain when you enter your login credentials

> The only solution was to either hardcode the domain name in our 
> client or to make it configurable on the client's UI, which means 
> there's another field for the user to fillout besides the 
> hostname/IP, which might be confusing.

The situation I am used to, is to let the client determine the server
automatically, based on the domain part of the jid. If that does not
work, you can tick a box to manually enter a server address. But in
both cases you know to what domain you try to connect.

> (For normal XMPP on 5222 it works in this case, since the 'from' 
> attribute is included in the stream header response).

Please notice you should not trust any 'from' before the stream
restart. The server may send anything there.

> I don't know if this use case is "valid" or if you expect to know
> the identity (as you said), i.e. the domain name before
> connecting.

I don't think a case can be 'valid' or not. I try to judge if we
should to break open the BOSH XEPs for this (what would be a more than
major thing in this stage).

Up to now, I am far from convinced, because you should already provide
the domain name when configuring the client with the credentials of
the user.

> But I guess this use case is quite similar to 
> http://xmpp.org/rfcs/rfc6120.html#tcp-resolution-srvnot
> "(say, to "hardcode" an association from an origin domain of 
> example.net to a configured FQDN of apps.example.com)"

Yes, that is about overwriting the automatic server discovery by
specifying a server by hand. That is the situation you are in too.

> in which case you would connect to 
> "http://apps.example.com/http-bind/" but would never know that the 
> origin domain name is actually "example.net".

Once the BOSH session is established, your XMPP stream is opened and
you are authorized, then you do your resource binding. After that you
know what domain the server thinks you have. But if that differs from
the domain in your JID, you should treat that as an error.

Version: GnuPG v1


More information about the Standards mailing list