[jdev] Login with SASL credentials unrelated to domain username

[Kurt Zeilenga]

On Nov 15, 2009, at 10:46 AM, Norman Rasmussen wrote:

> DIGEST-MD5 (and so some degree GSSAPI), allows you to authenticate with separate credentials from the account you're authorizing to.
> 
> So it's 100% valid in the XMPP world to login into the joe at example.com xmpp account using a username of bob and bob's password.

I think the OP was looking at how to specify a different authcid, not assert an authzid for identity assumption.  That is, Joe wants the JID joe at example.com to have an authcid of say j.   That's quite different than Bob (Bob != Joe) wanting to act as Joe, hence authenticating as Bob (via either JID bob at example.com or as b) and assuming the entity identified by the JID joe at example or the identity j.

While SASL's authzid mechanism does get used to specification of alternative identities for the same entity, that (IMO) is a misuse.  This misuse interfers with the ability of the user to perform identity assumption.   That is, if the user Bob wants to act as Joe but needs to specify both an authcid and authzid to just to authenticate as Bob, then it can use the authzid to say he wants act as Joe.

Anyways, some servers might have authcid which are not JIDs.  For instance, my authcid might be "Kurt Zeilenga".  XMPP clients should, just like most email clients do, the option to enter a authcid that's different than the user's JID (just like email clients allow for authcids which are different than the user's email address).

-- Kurt