On Tue, Jan 08, 2008 at 01:14:41PM -0700, Peter Saint-Andre wrote: > I was just chatting about this with Maciek Niedzielski and he suggested > a different kind of workflow for XEP-0070-like functionality: > > 1. User visits www.example.com > > 2. The website advertises a link to an XMPP-based authorization service, > such as: > > xmpp:[EMAIL PROTECTED];body=[some-unique-id-here] > > (The message could also include some kind of data form or hidden content > that can't be modified by the user.)
Maybe this link can have two targets, one is the XMPP URI and the other the requested side which needs the authentification. But I've no idea how to do this in a nice way. > 3. User clicks the link and launchs their Jabber client > > 4. Jabber client sends an XMPP message to the auth service: > > <message from='[EMAIL PROTECTED]' to='[EMAIL PROTECTED]'> > <body>[some-unique-id-here]</body> > </message> I think this message should also include the requested URL. This can help the website to have more than one realm. > 5. The website refreshes with some verification I'm not sure how this can be done in a nice way. My only idea is via javascript, but maybe it will be better to work with the HTTP protocol or something else (In case that at 2. one link with two targets is not a appropriate solution). > Now the user is authorized at www.example.com (or a particular page there). Should this workflow use the HTTP Auth method as described in the RFC (basic or something else)? Is someone working on the XEP? If not, then I would start writing a draft, but I think I need some help. -- Günther Nieß
