[Standards] Proposed XMPP Extension: Authorization Tokens

Andrew Nenakhov andrew.nenakhov at redsolution.com
Mon Sep 16 10:06:00 UTC 2019


вс, 15 сент. 2019 г. в 14:39, Daniel Gultsch <daniel at gultsch.de>:
> Am Mi., 11. Sept. 2019 um 15:33 Uhr schrieb Jonas Schäfer <jonas at wielicki.name>:
> > Title: Authorization Tokens
> > Abstract:
> > This document defines an XMPP protocol extension for issuing
> > authentication tokens to client applications and provides methods for
> > managing сlient connections.
> >
> > URL: https://xmpp.org/extensions/inbox/auth-tokens.html
> Shouldn’t a session that is authorized with a token be restricted in
> issuing new tokens and changing the users password?

Restricting changing user password - absolutely, but we feel that
changing a password is out of the scope of this protocol. In our
implementation, we just turn off XEP-0077, and that kinda solves the
problem. I think In-band registration does more harm than good to
XMPP. I recall DuckDuckGo cited spammers registering with this as a
reason to turn off their XMPP server.

On issuing new tokens: that's not so definitive. We have at least one
use case where this leads to improved user experience. In the future,
we plan to improve tokens with scopes ('access roster', 'access
history', 'access stories', 'access personal data', etc). Issuing new
tokens may be one of such scopes.

Bottom end: if people here feel that we should explicitly specify that
a tokenized session should be restricted from changing password - we
can easily add it to protocol requirements.


-- 
Andrew Nenakhov
CEO, redsolution, OÜ
https://redsolution.com


More information about the Standards mailing list