-
Schimon
Good evening! Is there a mechanism to utilize token or requent to connect to an XMPP account? By "request", I mean to notify that XMPP service requests to connect to specified account, and the conection occurs on another platform which approves the connection (e.g. OpenUserJS does this when connecting to its system).✎ -
Schimon
Good evening! Is there a mechanism to utilize token or requent to connect to an XMPP account, instead of using passwords? By "request", I mean to notify that XMPP service requests to connect to specified account, and the conection occurs on another platform which approves the connection (e.g. OpenUserJS does this when connecting to its system). ✏
-
Schimon
https://blasta.woodpeckersnest.eu/connect Blasta is a service which requires an XMPP account and it needs JID and Password. I think, that it would be better to allocate a token (temporary or permanent) to it. Even better, to negotiate with another server which would approve that the credentials are correct. Similar to OpenID.
-
moparisthebest
Schimon: https://xmpp.org/extensions/xep-0493.html
-
Schimon
XEP-0493: OAuth Client Login
-
moparisthebest
Also https://xmpp.org/extensions/xep-0484.html
-
Schimon
OAuth is a good mechanism. Thank you moparisthebest.
-
moparisthebest
Lastly see https://xmpp.org/extensions/xep-0494.html
-
Schimon
> Also https://xmpp.org/extensions/xep-0484.html > This specification defines a token-based method to streamline authentication in XMPP, allowing fully authenticated stream establishment within a single round-trip. What does "round-trip" mean? ↺
-
moparisthebest
Uuuuhhhhh, every request to + response from the server is a round trip
-
Schimon
Which XEP do you recommend to implement?
-
moparisthebest
So one round trip would be a protocol that looks like: Client > server: hi I'm Bob and here is my password log me in please Server > client: hi Bob that's correct you are logged in now
-
Zash
If your goal is to avoid dealing with users credentials directly, XEP-0493 is what you want
-
Schimon
Thank you. Zash.✎ -
Schimon
Thank you. Zash. Yes. This is the purpose. I rather not to have credentials exposed to Blasta. ✏
-
Zash
XEP-0484 only works _after_ an initial authentication, which means you need another method to start with
-
moparisthebest
Multiple round trips are like: Client>server: hi I'm a client can I log in? Server>client: sure what's your name? Client>server: I'm Bob Server>client: hi Bob what's your password? Client>server: my password is X Server>client: welcome back Bob that's right you are logged in now
-
Schimon
Zash. Do you have an advise on what method to utilize?
-
moparisthebest
Latency, especially mobile connections, make that second one noticeably shorter✎ -
Zash
> If your goal is to avoid dealing with users credentials directly, XEP-0493 is what you want That's what this was ↺
-
moparisthebest
Latency, especially mobile connections, make that second one noticeably longer ✏
-
Schimon
moparisthebest. Thank you for the elaboration. I might need to read it several times.
-
Zash
XEP-0493 is a lot of words for "use OAuth 2"
-
Schimon
> That's what this was I have expanded my answer, just to dispel any doubt as to what I was exactly answering positively. ↺
-
moparisthebest
Schimon: if it helps imagine every line as a letter mailed back and forth between the client and the server, in reality they are packets
-
Schimon
moparisthebest. So a multiple round trip would ask for credentials upon each line, and a single one will ask only once for all lines?
-
moparisthebest
So each line is a letter, and you gotta wait for the response until you send the next
-
moparisthebest
So the first involves the client mailing 1 letter and waiting for the server to mail 1 back, then he's logged in
-
moparisthebest
The second has the client mailing 3 letters and the server mailing 3 letters before login finishes
-
singpolyma
Schimon: no. Less round trips it just a minor performance thing. It's nothing to do with credentials
-
singpolyma
It's a small reduction in security for a small increase in speed, basically
-
Schimon
singpolyma. Thank you. I need to read about it.✎ -
Schimon
singpolyma. Thank you. I need to read about it. ✏
-
Schimon
5.2 Authentication vs Authorization > Note well that this specification is about an XMPP account owner granting (i.e. authorizing) an application access to their account. It is not about the account owner asserting any particular identity to the application, nor *is is* it designed to assert the identity of the application towards the XMPP service. Notice: "is is". https://xmpp.org/extensions/xep-0493.html#authentication-vs-authorization