What's the current state of XMPP and OpenID Connect? My web search returned that ejabberd is still considering if and how to implement and Prosody has experimental alpha-stage support via a module. I couldn't find anything conclusive in regards to XMPP clients. What's with Gajim(?) and Conversations? Or other clients? Are there any web clients supporting OIDC?
#jabber #xmpp #oidc #openidconnect
Daniel Gultsch
in reply to Fluchtkapsel • • •the answer depends a bit on what you are trying to achieve. Authenticate against a third party? Throw the password away and log in with a session cookie? Give access to third parties to data on the XMPP server?
We do the session tokens with FAST.
Prosody has some support for giving third parties access to (scoped) data on the XMPP server and clients (Conversations and Gajim) aren't involved here.
Fluchtkapsel
in reply to Daniel Gultsch • • •Daniel Gultsch
in reply to Fluchtkapsel • • •Authenticating with oauth with a third party is not currently available. @mattj probably has the most insights into what steps we made into that direction yet.
Part of the problem is that we loose nice security features like channel binding by using web stuff.
Fluchtkapsel
in reply to Daniel Gultsch • • •Daniel Gultsch
Unknown parent • • •@muppeth @mattj Sticking with LDAP would at least on paper leave the door open for channel binding.
2FA could be added to XMPP w/o involving web stack stuff.
I'm not fundamentally opposed to oauth. I'm just pointing out that the use case of oauth is convenience rather than added security. If we implement it wrong me might even loose security (channel binding).