Re: Authentication via XMPP (Concern over XEP-70)

Thread: Re: Authentication via XMPP (Concern over XEP-70)

Search this list only Search all lists
Re: Authentication via XMPP (Concern over XEP-70)
United States	2008-01-08 14:14:41
Dave Cridland wrote: > XEP-0070 doesn't introduce a new mechanism, in the protocol sense, it > introduces a hack to get Basic to be used for identity assertion. > (Actually, ownership of a jid). I was just chatting about this with Maciek Niedzielski and he suggested a different kind of workflow for XEP-0070-like functionality: 1. User visits www.example.com 2. The website advertises a link to an XMPP-based authorization service, such as: xmpp:authexample.com?message;body=[some-unique-id-here] (The message could also include some kind of data form or hidden content that can't be modified by the user.) 3. User clicks the link and launchs their Jabber client 4. Jabber client sends an XMPP message to the auth service: <message from='userexample.net' to='authexample.com'> <body>[some-unique-id-here]</body> </message> 5. The website refreshes with some verification Now the user is authorized at www.example.com (or a particular page there). This removes the worry about someone else typing in your JID and spamming you with XMPP messages, because you initiate the exchange (not the website). Thoughts? Peter -- Peter Saint-Andre https://stpeter.im/

[1]