New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support XEP-0070: Verifying HTTP Requests via XMPP #1972

Open
victornoel opened this Issue Jul 28, 2016 · 11 comments

Comments

Projects
None yet
6 participants
@victornoel

victornoel commented Jul 28, 2016

Hi,

The XEP-0070 would make a lot of sense in conjunction with a mobile XMPP client (authorising access to a resource using a separate device is generally a good idea in security).

FYI there exists some implementations of the server-side (i.e. sending authentication requests to XMPP clients):

@DoM1niC

This comment has been minimized.

DoM1niC commented Jul 29, 2016

Prosody have a Plugin to handle HTTP Auth ...

https://modules.prosody.im/mod_auth_http_async.html

@tigre-bleu

This comment has been minimized.

tigre-bleu commented Aug 1, 2016

The prosody module you refer to does not seem to handle XEP-0070. It is doing authentification of XMPP user via HTTP basic verification, which is quite the opposite.

As far as I can see, XEP-0070 is not supported by Prosody (yet): http://prosody.im/doc/xeplist

@chteufleur

This comment has been minimized.

chteufleur commented Aug 9, 2016

Hi,
It would make a great feature, indeed.

@tigre-bleu: The server doesn't need to interpret those stanzas. So there is no implementation needed by XMPP server (there are all compatible).

@iNPUTmice

This comment has been minimized.

Member

iNPUTmice commented Aug 9, 2016

This is a classic chicken-egg problem. There aren't any services out there which make use of this feature and there aren't any services because there are no clients which implement this.
However the XEP provides a fall back method (just plain text) so the client doesn't necessarily has to have support for this. So in this case I think it is fair to let the service operators implement this first before we wrap this in some nice UI.

@chteufleur

This comment has been minimized.

chteufleur commented Aug 9, 2016

I understand your point of view.
I think that if we want to make that websites (or other applications) use this authentication system, we have to make the first step (with the risk that it will be un-used).

Hope it will become more popular in the future.

@tigre-bleu

This comment has been minimized.

tigre-bleu commented Aug 10, 2016

I confirm that the fallback works with Conversations, but it is not very elegant. If I have some spare time this week-end, I will think about a design for this function.

Is there any design toolkit that we can use to prototype an HMI using Conversations UI parts?

@tigre-bleu

This comment has been minimized.

tigre-bleu commented Aug 10, 2016

A first and quick mockup:
xep-0070-mockup

@chteufleur

This comment has been minimized.

chteufleur commented Aug 10, 2016

Nice.

What about a notification (like this) with accept/deny button ?

@tigre-bleu

This comment has been minimized.

tigre-bleu commented Aug 11, 2016

Why not, as long as it does not require Google Play Services.

@chteufleur

This comment has been minimized.

chteufleur commented Aug 11, 2016

I don't think so. My phone is on Cyanogen without any Google App, and I see this kind of notification.

@jarobase

This comment has been minimized.

jarobase commented Feb 14, 2018

In order to test several clients support, I made a small website:

https://demo.agayon.be/

I aim to make a website for non tech people based on this feature.

You can use it to try the usability.

Unfortunately, it is not really convenient with Conversations as it is not possible to copy a small part of a message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment