Hi, while I was testing speeqe, the nice BOSH based MUC client of StanzIQ, I've noticed one limitation we have with XMPP which is only partially addressed with XEP-0235, OAuth Over XMPP. XEP-0235 allows to use XMPP resources with an auth token obtained via OAuth. All the use cases in the XEP are based on the assumption that an XMPP entity needs to do some operations on resources on which it has no rights, and therefore it needs a special authorization. That is the purpose of OAuth, however there is one more case which isn't addressed: allow somebody else to behave as if it were me only for a limited scope. Examples are web based chats I don't completely trust: instead of giving them my password I just pass them an OAuth token which allows at most n logins or just exchanging messaging with a given conferencing server. The basic mechanism would be a simple token-based authentication, after which is created a session with the limitations set during the token generation.
Right now I'm just asking because it's something that needs big changes in server session management and it will take a long time before seeing it implemented. So it's better to know in advance if there is interest or better way to do the same things. Possible applications: - in general login with untrusted clients or hw (the authentication token can be also generated with an external device such as a smartcard) - web based sessions, with bosh clients embedded in third parties sites (e.g. I'm on facebook and I don't want to use their ugly chat, but my real JID and I don't want to give away my password) -- Fabio Forno, Ph.D. Bluendo srl http://www.bluendo.com jabber id: f...@jabber.bluendo.com
