XMPP Service Operators - 2026-04-28

> > I strongly believe in a different account for every service, with a different randomised password + TOTP, one service being pwned therefore can't harm another. > > I believe in an amount of work that the couple people at the hackerspace can actually do, preferrably without getting burnt out. How big is said hackerspace, like how many accounts we speaking? ↺

I never imagined hackerspaces being big enough which they would need centralised authentication

In any case, I dont see why this needs to be enforced so rigidly. Does it hurt for XMPP to be hosted without integration?

XMPP can also be used without needing to be hosted by the hackerspace anyways, and people use their own personal accounts, although not ideal, it still means you can use XMPP within the hackerspace.

be like elsa, let it go

icebound.dev, the whole point of being a hackerspace is that you can do fun things in ways that don’t strictly make sense based on the time vs. reward scale.

> icebound.dev, the whole point of being a hackerspace is that you can do fun things in ways that don’t strictly make sense based on the time vs. reward scale. Yes. We also save time and effort which can be put into nicer things. Hosting stuff is okay, we just don't need another fulltime job. :)

> be like elsa, let it go xD ↺

> > icebound.dev, the whole point of being a hackerspace is that you can do fun things in ways that don’t strictly make sense based on the time vs. reward scale. > > Yes. We also save time and effort which can be put into nicer things. Hosting stuff is okay, we just don't need another fulltime job. :) /me shrugs ↺

you say you dont want a full time job, but what you want seems to be a lot of hard work for little reward

in any case I will drop the discussion, unproductive on my part.

How would you even know what is little reward for us?!

You don't even know what we do. how our setup looks like, who needs access to what, various other things...

It's like me saying "Your sofa is uncomfortable" without ever having seen one or knowing whether you have one or just use an armchair or whatever

erebion, seems like you just want to fight at this point. My point was simply it seems like a lot of work. If it is worth it then go ahead, I am sure theres others here who might be interested in a OIDC integration, and I think singpolyma already has showed an interest in it (so at the very least cheogram would support such a thing).

but my earlier point was simply, saying "the hackerspace can't use XMPP unless it supports OIDC" seems excessive. It can, it might not fit in as well, but it can. Also theres no requirement for the hackerspace to host XMPP itself either. These are all blockades put in place by you/the hackerspace to make it a very binary thing of "no OIDC, no XMPP". I was simply thinking about the problem from a broader point of view.

Oh please stop it. We know why we want to run our setup in a certain way, we know our setup best.

Then I wish you luck with the integration of OIDC into both the server and client side.

i was confused that ere.bion and pola.rian are the same person for a moment there

but there's no client at all that supports oidc right?

and does this warrant a XEP?

> i was confused that ere.bion and pola.rian are the same person for a moment there two very different people :p ↺

> but there's no client at all that supports oidc right? I think singpolyma was onto something about this, but afaik, no there isn't. Which is why I said it would be a lot of hard work. ↺

> and does this warrant a XEP? this would likely be the best way to do it. ↺

we have the XEPs needed already 🙂 and the server implementation. but yes, I'm not aware of any general purpose client

singpolyma, which XEPs out of curiosity?

also maybe best to bring this into XSF discussions if this requires discussion on client implementation and XEPs?

I mean it's just SASL so I guess it's in the RFC. Unless you use SASL2

singpolyma, I dont see how SASL plays a part here

For OIDC?

yes

SASL is how you do all auth. If you use OIDC for auth you'll be doing it over SASL 🙂

and that's what the existing implementations do

From my knowledge the flow would be: client --> server (asks to use OIDC) server --> OIDC provider (selected by the user) OIDC provider <-- client <-- server (client is redirected to the provider to authenticate) OIDC provider --> server (OIDC provider sends a token to the server when the user is successfully authenticated) IIRC this same token is then sent to the client too, which is used to authenticate.

singpolyma, sure...

but you would still need to implement the third party auth

both the server and client would need to understand there is a third party in the process

I believe there is already a prosody module for this, so this would just require a client side implementation to be usable?

"just"

I havent played with OIDC much, but I believe its pretty much the same as oauth2?

> in any case I will drop the discussion, unproductive on my part. that was a lie ↺

correct. Right now there is no general purpose client that supports this SASL mechanism. But it is not for lack of specs just lack of code

> correct. Right now there is no general purpose client that supports this SASL mechanism. But it is not for lack of specs just lack of code hmm, well maybe you could write a POC :p ↺

seems like you are interested.

and I think there's a hacky fallback where you can paste the token into PLAIN to test, but yeah

I guess due to the similarities OIDC could also allow later to authenticate using oauth2 providers too if the logic is implemented for it.

I dont see why an XMPP server would want to, but it could be feasible then to auth with github, or dare I say it, Discord :p

theyre the same thing i believe

> theyre the same thing i believe thats what I believe too, but I dont know for sure, so I didn't want to say it :p ↺

> An OpenID Provider (OP) is an entity that has implemented the OpenID Connect and OAuth 2.0 protocols

ah nvm

OIDC is oauth2 yes, they're the same protocol really

they arent, but OIDC uses oauth2

oidc is an identity layer on top of oauth

yeah

makes sense now

well OIDC has some extra things but any oauth2 login will also work for OIDC, just if you require OIDC things then oauth2 might not work

> I dont see why an XMPP server would want to, but it could be feasible then to auth with github, or dare I say it, Discord :p so if oauth2 is required, then again, said functionality would also allow for this ^^^ ↺

yes

yes.

actually...

that might be useful for onboarding

if you wanted to run an xmpp server where people login with github, we can do that today. "just" need an app that allows it, heh

idc if people login with Codeberg or whatever tbh

people being able to simply authenticate with Discord, it might actually get people to try out XMPP

matrix being built on web has made this infinitely easier. Big servers do allow authing against google/github/gitlab whatever. So it's not anything flameful lol

I am still waiting on MFA :p

theres been a lot of progress on it actually, and iirc the server implementations are done

again just needs client side implementation

and how does MFA works exactly

does it send everything through SASL?

singpolyma, to be honest, wouldn't this be pretty easy to do on android? You would need to add an option to use oauth2/OIDC which is discovered from the server, and then android can just use the webview to render the login endpoint.

"just"

on desktop this is more difficult...

you cant assume there is a web browser present on Linux

> you cant assume there is a web browser present on Linux you... do ↺

then again xdg-open can be used to open the default web browser so I guess its not too difficult either

> you... do nope, some Linux installs dont have web browsers ↺

although it would be nice to be able to pick the web browser used on desktop

or just provide a link and have the user click on it, like some cli clients

true

that works too

> or just provide a link and have the user click on it, like some cli clients link + qr or however you may please ↺

yeah true

access tokens would be nice for xmpp auth too

so erebion, twist singpoylma's arm into implemented it and it could be quite fast to get up and running

>> you... do > nope, some Linux installs dont have web browsers and some android installs don't either... this is an odd rabbit hole ↺

> access tokens would be nice for xmpp auth too with granular permissions i mean, but idk if thats possible in xmpp-land just now ↺

singpolyma gets really bored, always looking for something new to code /j

> and some android installs don't either... this is an odd rabbit hole seriously? ↺

I thought a webview was mandatory on android

> with granular permissions i mean, but idk if thats possible in xmpp-land just now well SASL makes any of this possible, as singpolyma pointed out ↺

>> with granular permissions i mean, but idk if thats possible in xmpp-land just now > well SASL makes any of this possible, as singpolyma pointed out so i could authenticate as a client that can only send messages and not photos? ↺

not upload photos*

if the server provided such permissions then yeah I dont see why not

so server has to keep track of resource ID against the token's privileges i think

the joys of code, you can do almost anything provided you write it :p

i know, i'm just asking if it's theoretically possible in the first place

stratself, well more it would be better to have a http upload "group" which the admin can add users to

or remove users from

whether you want it default or not

XMPP already has that of course, there is FAST but also nothing prevented multiple passwords per account before

but yeah I dont see why it couldnt be implemented.

> stratself, well more it would be better to have a http upload "group" which the admin can add users to yeah we'll get RBAC soon™ anyways ↺

anyways I really got to go and fix this iphone ive wasted 2 hours so far

glhf polarian

its not fun, fuck apple :p