<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body bgcolor="#ffffff" text="#000000"> Recently I have been working with a different developers who are trying to build bosh-based buddycloud-channels into their own websites. The problem is: A user needs to log-into a website using their jid. A thrid-party website (eg: channels.example.com) asking for your jid and password (<a class="moz-txt-link-abbreviated" href="mailto:joe@gmail.com">joe@gmail.com</a>) should scare any sensible user and worry xmpp operators that $RANDOMWEBSITE is asking for their user's credentials. Additionally, we also have a problem in that users need to log-in repeatedly to access anything that uses a BOSH connection. While one can debate the merits of this, users are more familiar to an experience where they have to reauthenticate infrequently. So I guess the questions that arise are: <ul> <li>How do we protect against rogue websites saving your password? What practices are other xmpp website developers using?</li> <li>Is there an oAuth equivalent for XMPP?</li> <li>What best practices are websites using to save the user logging in repeatedly each time the BOSH connection is destroyed (leaving the page)?</li> </ul> S. <pre class="moz-signature" cols="72">-- Simon Tennant mobile: +49 17 8545 0880 office: +44 20 7043 6756 office: +49 89 4209 55854 channel:<a class="moz-txt-link-freetext" href="http://buddycloud.com/user/buddycloud.com/simon">http://buddycloud.com/user/buddycloud.com/simon</a> <a class="moz-txt-link-freetext" href="xmpp:simon@buddycloud.com">xmpp:simon@buddycloud.com</a> <a class="moz-txt-link-freetext" href="mailto:simon@buddycloud.com">mailto:simon@buddycloud.com</a> </pre> </body> </html>