jdev - 2026-02-18

Have there been any proposed authentication mechanisms for some sort of scoped ANONYMOUS or some 'invite' system, where you could have an anonymous user, but only very scoped access (like to a specific MUC room, for example)?

don't need a mechanism for that right ? you can just configure a host to allow anonymous login and restrict it to a certain muc host or whatever

very commonly done for web support chat via muc

But I mean where the invite would be scoped to a specific room (unless explicitly invited to others also, by their temporary JID), versus allowing anonymous users to just find and spam any MUC. Whereas additionally if authentication for anonymous users is invite-based, then that itself serves as some control against abuse (and also a mechanism for accountability: e.g. if someone is generating 'invites' for people that are intentionally abusing it, then it's possible to plug the holes causing abuse)

set up any current invite system on a domain and then restrict it to a certain muc host or whatever?

usually anonymous users are not allowed to join arbitrary MUCs

Though I'm not convinced that's as useful as we thought since getting a new jid over IBR is trivial

so true

is there any protocol extension to verify clients against their TLS certificates? like dovecot does for IMAP?

Like SASL EXTERNAL?

just found it https://xmpp.org/extensions/xep-0257.html

That is SASL EXTERNAL. It is commonly used to authenticate other servers in server-to-server federation, but it can also be used to authenticate end-user clients.

That'd typically involve issuing your own client certificates though - not a straightforward task, but not unheard of in mostly larger organizations.

already did it for email, might as well for xmpp

but I'm not seeing evidence ejabberd supports that

your bigger problem will be finding clients that still support it