> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Peter Saint-Andre > Sent: 03 June 2009 06:18 AM > To: Jabber/XMPP software development list > Subject: Re: [jdev] Jabber Login with OpenID > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 5/22/09 6:39 AM, Bernhard zwischenbrugger wrote: > > Hi All > > > > I try to make a webchat with OpenID Login. > > > > OpenID is not difficult. > > Using https://rpxnow.com/ for example makes it very simple. > > Also a Jabber Login using "Strophe" or and other BOSH Lib is simple. > > No Problem with that > > > > But combining this 2 things is not easy at all. > >
So what you need is some kind of SSO (Single Sign On) solution. Using OpenID from a thick Jabber client would probably be *very* difficult (because it's intimately tied to the browser). It may be possible from your side of things, however. I haven't had the time to grep OpenID yet - but this<http://www.windley.com/archives/2006/04/how_does_openid.shtml> came in pretty useful. You will need to appropriate an OpenID implementation. This is a hashed out version of what would need to happen - so you WILL need to make changes to ensure security (esp against replay). You will need something like the following in the database: OpenIDLogins - IdentityUrl (nvarchar), Token (nvarchar), JabberID (nvarchar), Success (bool) So when you hit step 5 in the above document you will need to add that login to the table. At this point you would probably set up IdentityUrl, Token and JabberID. Success would be false. I assume the JabberID would be published in the OpenID document. I don't have the time to go through the OpenID spec right now but I assume it would look something like: <openId> <url>http://myoidserver.com/jack</url> <jabberId xmlns="urn:xmpp:tmp:openId">[email protected]</jabberId> <!-- Further OID fields --> </openId> @PSA - maybe someone should hash out a XEP, if appropriate? Once the OpenID server directs the user back to your site with a successful login you would then update the Success field to true. You would need to communicate the token to the client in a cookie or hidden field - obviously you would need to protect it somehow (SSL). The client could then use that token in a custom SASL mechanism (may I suggest OID-TOKEN). Which would simply: C: [IdentityUrl]+[Token] S: Success/Failure The user is now authenticated. > Peter > > - -- > Peter Saint-Andre > https://stpeter.im/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkol+XoACgkQNL8k5A2w/vwCKgCfUs8a/XmsTxHlv2ZXby2NOGn5 > 800AnRZpERPHEGg+Vf8VzyMN738TOSV9 > =7Xlp > -----END PGP SIGNATURE----- > _______________________________________________ > JDev mailing list > Forum: http://www.jabberforum.org/forumdisplay.php?f=20 > Info: http://mail.jabber.org/mailman/listinfo/jdev > Unsubscribe: [email protected] > _______________________________________________ _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
