Re: [Standards] Authentication via XMPP (Concern over XEP-70)

Thu, 17 Jan 2008 11:04:14 -0800 

Maciek Niedzielski wrote:


Yet another alternative is to change protocol flow:
1. server sends you auth agent JID (and only this) as realm
2. users asks agent (via XMPP) for one-time-tokenn/password
3. users provides this token as HTTP auth password (leaving username blank)
Advantages are:
* Multiple realms supported! Just use different auth agent JID for each realm. And xmpp:[EMAIL PROTECTED] is a more acceptable "abuse" of realm 
* This is pretty much like original XEP-70, but without spamming problem.


I think that is worth pursuing.


How does the browser know what to do with a realm that is an XMPP URI? 
Is there a browser plugin that passes that off to a Jabber client so it 
can send the token request to the agent?



Now of course we could use the same protocol flow for authentication 
based on HTML forms (instead of HTTP-headers):

1. website displays agent JID (may be clickable)
2. user asks agent for a token

(these two steps could be automated like before: 
xmpp:[EMAIL PROTECTED];body=give_me_token) and agent sends it 
back in a message

3. user does copy/paste and logs is.


Honestly, this was my initial idea. But then I thought: if I replaced 
"give me token" with "give me token, my session id is 1234", then server 
could proceed with authentication without user pasting the token back to 
the browser.



The copy+paste thing does slow it all down. But if your browser plugin 
is Jabber-enabled then you don't need to involve an IM client, right?



Is someone working on the XEP? If not, then I would start writing a
draft, but I think I need some help.


My draft of this Informational Tip-of-the-Day XEP would be:

To bind XMPP identity to HTTP "session"(*), display a opaque token on 
your site and ask visitor to send it to you via XMPP, using his/her 
desired JID. End ;)


Heh.


(* - I know that there is no such thing as HTTP session, but somehow it 
works in "real life")



Of course, if we want a solution that may be automated, adding <link 
rel="xmppauth">, etc could help.


Sure, that auto-discovery stuff is always good.

Peter

--
Peter Saint-Andre
https://stpeter.im/




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature



























					Reply via email to