I've spent the last couple of months working on some projects that attempt to utilize XMPP's roster management api's to store users trust relationships for creating and interacting with social networks. This is all well and good but there doesn't exit a secure means of me passing user credentials to the jabber server to authenticate my users, /and/ my daemons are forced to store the stession state locally. If we consider that creating and interacting with a giant global social network is a plausible use case for xmpp (and the user profile xep seems to suggest that at least some people have thought that way). Then having a way to safely authorize web clients will be an enormous boon to developers of these networks.
Example work flow ============== User = user logging into a web application Consumer = The Web Application Service Provider = Users Jabber Server Use requests access to an xmpp api from the Consumer Consumer redirects the user to the Service Provider The User enters their credentials into the Service Provider The Service Provider posts back to the Consumer with a unique access token The Consumer then make the xmpp api call to the Service Provider with the unique token granted to it. Future request for data from the Consumer would be done with the token, and provided access to the restricted api's Problems and Pitfalls ================ The servers would need to provide HTML login forms to users The servers would need to be able to deal with the tokens passed to the consumers and allow acces to the users data given that. Anyway, I've never proposed anything here, so I would love to hear ideas, on how we can make this work, and if we can't why. Thanks, ~ Anders
