Alternative option is to define new HTTP auth scheme. This is probably
the "right" way to go, but... it *requires* browser support, as there
will be no backward compatible mode.
Yet another alternative is to change protocol flow:
1. server sends you auth agent JID (and only this) as realm
2. users asks agent (via XMPP) for one-time-tokenn/password
3. users provides this token as HTTP auth password (leaving username blank)
Advantages are:
* Multiple realms supported! Just use different auth agent JID for each
realm. And xmpp:[EMAIL PROTECTED] is a more acceptable "abuse" of realm
* This is pretty much like original XEP-70, but without spamming problem.
This is pretty much how XEP-0101 works, although as currently defined it
sends the token back to the HTTP server using its own auth scheme rather
than using Basic, but that could be an easy fall back method.
Richard
