On Thu, Feb 14, 2019 at 1:20 PM Ненахов Андрей <[email protected]> wrote: > > > > чт, 14 февр. 2019 г. в 17:09, Ivan Vučica <[email protected]>: >> >> An advantage is that OAuth2 tokens are scoped. Such a token could in future >> be scoped for XMPP or for subsets of XMPP operations — or even for other >> services. Because of the split between short lived access and refresh token, >> revocation becomes an easy webui operation. >> >> And because login happens through a web UI, 2FA for first login becomes easy >> and not (necessarily) dependent on the client UI. > > > I'm strongly against addressing XMPP problem by means of other protocols. > Besides obvious complications in situations where one protocol is blocked and > not the other.
Technically, OAuth2 is not really tied to HTTP, if this is what you mean. For all that it matters, you could use XMPP as the transport to obtain the access+refresh token (or just a 'permanent' access token). > > Also, If you imply that you can easily assure user that you're not trying to > steal users's password, that is just plain wrong. While user in a real > browser can chech bowrser window URL and, trusting his broweser, be sure that > he's trying to log in to an authentic website, native apps can just open a > webview window and user won't see if it's an authentic website or a phishing > proxy. No, I don't imply that. An important thing the original proposal addresses is storing the single, master, non-scoped, non-application-specific password on the client device. It gets used and transmitted at every login. The only way you could address your problem is to issue the access credentials via a desktop, which indeed is addressed in the original proposal. However, I see this problem as totally orthogonal to 'how do we get rid of stored unscoped master passwords on every device a user uses'. _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
