Re: [Standards] Authentication via XMPP (Concern over XEP-70)

Wed, 16 Jan 2008 07:39:11 -0800 

Guenther Niess wrote:

On Tue, Jan 08, 2008 at 01:14:41PM -0700, Peter Saint-Andre wrote:
I was just chatting about this with Maciek Niedzielski and he suggested a different kind of workflow for XEP-0070-like functionality: 

1. User visits www.example.com


2. The website advertises a link to an XMPP-based authorization service, 
such as:


  xmpp:[EMAIL PROTECTED];body=[some-unique-id-here]


(The message could also include some kind of data form or hidden content 
that can't be modified by the user.)


As mentioned, such things can be hacked, so ignore that comment.


Maybe this link can have two targets, one is the XMPP URI and the other
the requested side which needs the authentification. But I've no idea
how to do this in a nice way.


That might simply be included in the body.


3. User clicks the link and launchs their Jabber client


I should have said: "... or a jabber-enabled browser plugin."


4. Jabber client sends an XMPP message to the auth service:

<message from='[EMAIL PROTECTED]' to='[EMAIL PROTECTED]'>
  <body>[some-unique-id-here]</body>
</message>



I think this message should also include the requested URL. This can 
help the website to have more than one realm.


Yes that should go in the message body as well.


5. The website refreshes with some verification


I'm not sure how this can be done in a nice way. My only idea is via
javascript, but maybe it will be better to work with the HTTP protocol
or something else (In case that at 2. one link with two targets is not
a appropriate solution).


That's a problem for website designers. :)


Now the user is authorized at www.example.com (or a particular page there).



Should this workflow use the HTTP Auth method as described in the RFC 
(basic or something else)?



Well the idea was that the site would advertise a special xmpp: URI for 
authorization, you would click that in your browser, the browser would 
hand off the URI to your Jabber client (which presumably you're using at 
the moment) or to a jabber-enabled browser plugin, and you would not 
have to be bothered with HTTP auth. This is kind of like XEP-0070 except 
the XMPP message is generated by the user, not the website (thus cutting 
down on the spam possibilities inherent in XEP-0070). But the token is 
generated by the website, so in that sense it is similar to RFC 4467:


http://www.ietf.org/rfc/rfc4467.txt


Is someone working on the XEP? If not, then I would start writing a
draft, but I think I need some help.



I think Maciek Niedzielski and I will work on this soon. And BTW we plan 
on deploying this system for user authentication (well, I suppose it's 
really authorization) at the new jabber.org website. So that will give 
us some practical experience with this method.


Peter

--
Peter Saint-Andre
https://stpeter.im/




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature























					Reply via email to