[JDEV] SSI Protocol draft 1

Michael Hearn mhearn at mailandnews.com
Mon Oct 15 16:03:37 CDT 2001 

Here it is. Dead simple. And not finished. But you get the idea.

Authentication Protocol
Draft 1


The following elements represent the different actions that are 
available in the Single Sign-In Protocol.

The following terms are used in this document:

Client - users software (web browser, ftp client etc. that is not 
directly connected to the jabber network).

Host - users host (for instance, jabber.org).

Requester - the entity that wishes to authenticate the Client with the Host.





At the start of a SSI transaction, the Requester should interrogate the 
Host to determine what authentication options are available. The first 
version of this protcol will define 3 types, however, more may be added 
at a later date.

The following message is sent.

<beginTransaction xmlns="http://jabber.org/ssi"/>

and the Host sends back:

<transaction id="02343151" xmlns="http://jabber.org/ssi">
	<authType name="web"/>
	<authType name="service"/>
	<authType name="im"/>
</transaction>

The Requester now has a transaction ID that can be used in subsequent 
messages.

The Requester now sends something like this:

<signIn id="02343151" xmlns="http://jabber.org/ssi">
   <authType name="web">
   	<template>http://requester/ssi-template.html</template>
 
<return-url>http://requester/signin?key=SOMEVERYLONGRANDOMUNGUESSABLENUMBER</return-url>
   </authType>
</signIn>

and the Host sends back when successful

<instructions id="02343151" xmlns="http://jabber.org/ssi">
	<authType name="web">
	
		<redirect-url>https://signin.host/go.pl?id=02343151</redirect-url>
		
	</authType>
</instructions>

Note that the redirect-URL can be anything, the fact that the 
transaction ID features in it in this example doesn't indicate this has 
to be the case.

The Requestor then sends an HTTP Redirect to the Client. The Sign-in 
program loads up the file specified in the <template> element of the 
<signIn> message, and then interpolates the form into that page 
(Passport calls this co-branding) and sends it to the Client. Once the 
Client has submitted their credentials, they are cleared, and sent back 
to the return-url. The sign in page can set cookies so the credentials 
don't have to be re-entered. The Requestor site can also set a cookie 
with the user name in, so the Client will not have to reauthenticate in 
future.

______________________________
Michael Hearn
mhearn at neuk.net
Jabber (jabber.org) tweedledee at jabber.org

More information about the JDev mailing list