[jdev] oAuth equivalent for for XMPP?

Jonathan Dickinson jonathan at dickinsons.co.za
Mon Dec 13 03:20:07 CST 2010

?(Sorry for top-reply, live.com has problems with signed emails)

It's quite possible to XMPP-ize OAuth. Just took a look at the protocol 
(http://tools.ietf.org/html/rfc5849). Essentially:

1. printer.example.com advertises OAuth feature (http://oauth.net/:o-auth).
2. Client selects O-AUTH and provides server/URL in a SASL-like payload 
3. printer.example.com does a GET against the URL and looks for a META tag 
("urn:tmp:xmpp") that contains the target XMPP server 
(xmpp.tcp.photos.example.com; or photos.example.com:5252).
3.1. If the META tag is not found, printer.example.com probably comes back 
with not-found.
3.2. It might even be a good idea to send a hint along in the GET request 
(ACCEPT: text/html; text/html+xmpp) so that the server only sends back the 
HTML and META tags.
4. printer.example.com contacts photos.example.com:5252 and requests 
5. photos.example.com sets up E2E encryption with client.
6. The request is authorized over this channel (using XEP0004).
7. photos.example.com informs printer.example.com of success.

I don't know if a XEP for (3) exists; at any rate it is immensely useful for 
XMPP-izing protocols like OAuth (heck, we could even get OpenID to work the 
same way as this).


From: "Jonathan Schleifer" <js-jdev at webkeks.org>
Sent: Sunday, December 12, 2010 2:19 PM
To: "Jabber/XMPP software development list" <jdev at jabber.org>
Subject: Re: [jdev] oAuth equivalent for for XMPP?

> _______________________________________________
> JDev mailing list
> Forum: http://www.jabberforum.org/forumdisplay.php?f=20
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________

More information about the JDev mailing list