On Mon, Jan 07, 2008 at 06:16:36PM -0800, anders conbere wrote:
> On Jan 7, 2008 4:35 PM, Guenther Niess <[EMAIL PROTECTED]> wrote:
> > Hello,
> > I'm a student and within a project at the university I want to
> > implement the XEP-0070 [1] as a SASL mechanism [2]. So other
> > protocols for example imap or pop3 can easily use the authentication
> > scheme.
> >
> > I've noticed the discussion about XEP-70 on December 20007 [3] and I
> > think it would be great if we can combine the XEP-70 (for all users
> > who are online with their jabber client) and the http digest way
> > (like OpenID) which was proposed by Anders Conbere.
> >
> > I'm not really sure if I have understood the XEP-0070 correctly.
> > If it possible to confirm a message request with a client that don't
> > understand the 'http://jabber.org/protocol/http-auth' namespace?
> > I think in the XEP only clients are on focused which understand
> > the namespace and the behavior of the server which receive a message
> > with ok in the body and no confirm element is undefined.
>
> I don't think I follow this paragraph, can you explain it for me?
I think of implementing a fallback for clients that don't support the
x-http-auth feature (discovered by XEP 30) something like:
1. HTTP Client requests object via HTTP.
2. HTTP Server sends Authenticate Response via HTTP.
3. HTTP Client sends Authorization Request via HTTP.
4. If the requested JID is online and available then the HTTP Server
processes request and forwards it to XMPP Server.
5. XMPP Server requests confirmation via XMPP.
i) With a message of the kind described as in example 6 with the
addition that the user should response the transaction identifier
(for example a7374jnjlalasdf82) and ok.
6. XMPP Client confirms request via XMPP.
i) With a message for example:
<message type='chat' id='AnyId23' to='files.shakespeare.lit'>
<body>a7374jnjlalasdf82 ok</body>
</message>
7. XMPP Server delivers confirmation to HTTP Server.
8. HTTP Server allows HTTP Client to access object.
> > So I think a good solution for http authentication is the XEP-70 when
> > it is clear that all users that are online can confirm the request
> > and for others they are redirected to the XMPP server and can
> > authenticate themself via user credentials.
> >
> > [1] http://www.xmpp.org/extensions/xep-0070.html
> > [2] http://tools.ietf.org/html/rfc4422
> > [3] http://mail.jabber.org/pipermail/standards/2007-December/017406.html
--
Günther
