[jdev] Question on login through OAuth
"István Koren"
koren at dbis.rwth-aachen.de
Wed May 22 12:19:16 UTC 2013
> Thank you very much!
> I'll try this way.
>
> Kind regards
> Stefano
>
Hi Stefano,
I tried something similar some time ago and I think to solve your problem
you would need an approach that links OpenID and OAuth. To keep the
"Google login experience" while having a secure implementation you would
need an XMPP server that first supports OpenID to login through Google
and second gives you an OAuth token to login to XMPP through the SASL
procedure mentioned by Jonas and Peter [1]. Afaik there is no open XMPP
host supporting that.
You could of course do it the way you mentioned which is checking whether
login to Google was successful (in that case you get back an OAuth token)
and then use your automatically generated password to login to another
XMPP server. However automatically creating XMPP passwords is never a good
idea, just check [2] what WhatsApp did wrong in this matter..
A third solution (more of a hack...) would be to use Google Drive app data
folders [3] to save your auto-generated third-party credentials, but I am
not sure how safe that is.
Cheers,
István
[1] https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-oauth/
[2]
http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-completely-unprotected-1708545.html
[3]
http://googleappsdeveloper.blogspot.de/2013/04/more-ways-for-apps-to-write-to-drive.html
--
http://istvank.eu
http://dbis.rwth-aachen.de/cms/staff/koren
>
> 2013/5/18 Peter Saint-Andre <stpeter at stpeter.im>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 5/18/13 8:37 AM, Jonas Wielicki wrote:
>> > Hi Stefano,
>> >
>> > While there is no XEP explicitly supporting OAuth, there seem to
>> > be approaches for using OAuth with SASL, which is the default
>> > authentication mechanism for XMPP.
>> >
>> > So in principle, it should be possible to use OAuth, without
>> > hardcoding passwords etc.. However, there is probably no software
>> > out there yet supporting that. I'd suggest you take some web search
>> > on how to use OAuth with SASL and maybe implement/contribute to the
>> > standards which are currently in the making (I found some IETF
>> > draft for sasl+oauth,
>>
>> https://datatracker.ietf.org/doc/draft-ietf-kitten-sasl-oauth/
>>
>> It's currently in working group last call.
>>
>> > and some github code by doing a simple web search). You'll probably
>> > also have to patch server software to support that, and in turn set
>> > up your own XMPP service for this to work.
>>
>> Sounds right. Perhaps over time we'll see more XMPP servers, clients,
>> and libraries supporting it (once it becomes standardized at the IETF).
>>
>> Peter
>>
>> - --
>> Peter Saint-Andre
>> https://stpeter.im/
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQIcBAEBAgAGBQJRl61RAAoJEOoGpJErxa2pI4cQAJxqL2zu10fDLxz+RBItij5P
>> +gibGoAlyh8WpuN6NNyxgsw/KHMP0CtpOjJPwvynJ1RGxFhPeI3PPiuNDhHDhqjq
>> TJhFd87WczxipZ6/N2z4rfpIwF1Qr3BneB+da99C7jky8c19u0tIeOrUwETQKgNE
>> 2ysMEqt/TUkfyaWbW2I04kWbh0Uam27diJUMNhGksWqJRPFzSaBVCiqOz/jucCXc
>> k+4uEASlcLjbZ9G6GGnZRE+qacBxyb6029YataX/P2OXeYUaVQAWq3jOw0MPWpAp
>> 9XPBENFd4zPH2w9b622RSBbFKIxCo9jxFhC5ABEoQyKSN0bcLPNXc9qXzXdxRiod
>> bibxwAkeIzBsCtn0Aq0dGyqJy9/Lqx4ydwmJ+97DZljLqdRXhx0hkBG2zbqtquAM
>> PuwtwVT8NGrA5+iAvlV0/7i0kk2ofvpVSX8uwSpW2NzqbkzkwnW2of9jDOF9OEx0
>> YxfmyDOmWsrkNz8be1gHgT6cRoXZ9uf5xdme7btFB8ZccnrMiKOHkuAw94UPJsbV
>> 668NstcGjzSN56MWqQ6VggeZTp/exDPpXcpBVB19ShSS/f1JQlvlPq+RJLZfX3g1
>> w0A3VymRiRmNDs3U5I0RzZ/Lx5zCGrvOk/ADt7EgXsCkcIRsMnQN0dsZe32C3Xfb
>> pWZJHzUPvEB6j/RrDfkJ
>> =4nAP
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> JDev mailing list
>> Info: http://mail.jabber.org/mailman/listinfo/jdev
>> Unsubscribe: JDev-unsubscribe at jabber.org
>> _______________________________________________
>>
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
>
More information about the JDev
mailing list