[Standards] guest access

Peter Saint-Andre - &yet peter at andyet.net
Fri Jun 26 12:38:14 UTC 2015


On 6/26/15 5:26 AM, Matthew Wild wrote:
> On 26 June 2015 at 00:51, Peter Saint-Andre - &yet <peter at andyet.net> wrote:
>> Lance Stout and I had a conversation the other day about what we call "guest
>> access" to an XMPP application. As example, consider a chat service (text,
>> video, what have you) that has registered users and the ability for
>> registered users to invite ad-hoc users to a session or meeting. This kind
>> of functionality is quite common with applications like video conferencing
>> (Talky, Jitsi Meet, WebEx, etc.).
>>
>> If this kind of application is based on XMPP, the invited user needs to gain
>> access to the network (i.e., authenticate somehow) in order to join the
>> conference. However, for security and scaling reasons it makes sense to have
>> these ad-hoc users authenticate at a different place than the registered
>> users. (Often, but not always, the ad-hoc users might "authenticate" using
>> the SASL ANONYMOUS mechanism, but other methods are possible such as token
>> auth.)
>>
>> Thus we need a way for a client to discover where it can authenticate as an
>> ad-hoc or guest user. We don't want to use a DNS SRV Service name of
>> "xmpp-client" because that will point clients to the service endpoint for
>> registered users. What we came up with was to use a new DNS SRV Service name
>> of "xmpp-guest", which would point to the service endpoint for guest access.
>>
>> Has anyone else deployed this kind of pattern? If so, how did you solve the
>> problem of service endpoint discovery? Would you find it helpful to have a
>> DNS SRV Service name for this kind of access?
>
> Would a TXT record not be more appropriate?

Not according to IETF folks. There's a real animus against TXT records 
for SRV-ish things (and this seems like one of them).

> Containing the XMPP host
> of a suitable place to authenticate anonymously? A SRV will tell you
> where to connect to, but not which XMPP host to use.

Sure, you need to do the SRV two-step.

> TXT gives you
> both (because you can proceed with the usual SRV lookups for the guest
> host, once you know it).
>
> If you're using the same XMPP host for non-guest and guest, I don't
> see the need for an extra DNS record. I don't see a use-case for for
> non-guest and guest on the same XMPP host but different network hosts

To my mind, it's about separation of concerns - I'd rather not mix my 
anonymous users with my registered users.

> (just use clustering(TM)).

Given that we're using Prosody, I suppose I'll take up *that* topic in 
the Prosody chatroom. ;-)

> Finally, if we were to use TXT, then maybe this is a candidate for
> inclusion in XEP-0156?

If we were to use TXT, yes.

Peter

-- 
Peter Saint-Andre
https://andyet.com/




More information about the Standards mailing list