Recently I have been working with a different developers who are trying
to build bosh-based buddycloud-channels into their own websites.
The problem is:
A user needs to log-into a website using their jid. A thrid-party
website (eg: channels.example.com) asking for your jid and password
([email protected]) should scare any sensible user and worry xmpp operators
that $RANDOMWEBSITE is asking for their user's credentials.
Additionally, we also have a problem in that users need to log-in
repeatedly to access anything that uses a BOSH connection. While one can
debate the merits of this, users are more familiar to an experience
where they have to reauthenticate infrequently.
So I guess the questions that arise are:
* How do we protect against rogue websites saving your password?
What practices are other xmpp website developers using?
* Is there an oAuth equivalent for XMPP?
* What best practices are websites using to save the user logging in
repeatedly each time the BOSH connection is destroyed (leaving the
page)?
S.
--
Simon Tennant
mobile: +49 17 8545 0880
office: +44 20 7043 6756
office: +49 89 4209 55854
channel:http://buddycloud.com/user/buddycloud.com/simon
xmpp:[email protected]
mailto:[email protected]
_______________________________________________
JDev mailing list
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________
