[jdev] oAuth equivalent for for XMPP?
Jonathan Dickinson
jonathan at dickinsons.co.za
Mon Dec 13 03:20:07 CST 2010
?(Sorry for top-reply, live.com has problems with signed emails)
It's quite possible to XMPP-ize OAuth. Just took a look at the protocol
(http://tools.ietf.org/html/rfc5849). Essentially:
1. printer.example.com advertises OAuth feature (http://oauth.net/:o-auth).
2. Client selects O-AUTH and provides server/URL in a SASL-like payload
(BASE64(http="http://photos.example.com/juliet")).
3. printer.example.com does a GET against the URL and looks for a META tag
("urn:tmp:xmpp") that contains the target XMPP server
(xmpp.tcp.photos.example.com; or photos.example.com:5252).
3.1. If the META tag is not found, printer.example.com probably comes back
with not-found.
3.2. It might even be a good idea to send a hint along in the GET request
(ACCEPT: text/html; text/html+xmpp) so that the server only sends back the
HTML and META tags.
4. printer.example.com contacts photos.example.com:5252 and requests
authorization.
5. photos.example.com sets up E2E encryption with client.
6. The request is authorized over this channel (using XEP0004).
7. photos.example.com informs printer.example.com of success.
I don't know if a XEP for (3) exists; at any rate it is immensely useful for
XMPP-izing protocols like OAuth (heck, we could even get OpenID to work the
same way as this).
Thoughts?
--------------------------------------------------
From: "Jonathan Schleifer" <js-jdev at webkeks.org>
Sent: Sunday, December 12, 2010 2:19 PM
To: "Jabber/XMPP software development list" <jdev at jabber.org>
Subject: Re: [jdev] oAuth equivalent for for XMPP?
> _______________________________________________
> JDev mailing list
> Forum: http://www.jabberforum.org/forumdisplay.php?f=20
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
>
More information about the JDev
mailing list