HTTP-Auth suite

project info HTTP-Auth suite

Summer of Code 2006 project
 * Author: Maciej Niedzielski (machekku)
 * Mentor: Jacek Konieczny
 * Target: XEP-0070 client/server implementation
 * Website: http://jauto.sourceforge.net/

(skip intro)

Do you remember your last time working on a new machine, typing thousands of passwords on every website you wanted to visit? "it's me again, I said it a moment ago...." Wouldn't it be wonderful if you could authenticate once and then just say "yes, it's me again, I'd like to talk with you now..."?

Talk...? Talking is one of the most popular ways of using the Internet. But - for some reason - you don't need to provide your password every time you want to talk with another person. Somehow they know that it's you. So why HTTP servers do not know? And why not to teach them how to do this?

There already exists a protocol (XEP-0070) which enables HTTP server to verify HTTP requests via XMPP. It describes how HTTP server can take advantage on strong authentication provided by XMPP and just simply associate unknown (until now) user clicking a link in browser with a well-known and "well-authenticated" XMPP user.

And now, imagine that your browser acts like an (invisible) XMPP client. Sure, it will need to know your password, but this is just one password (and it's not same-password-everywhere solution!). In exchange for this one password, your XMPP-enabled HTTP browser could automatically confirm all your HTTP requests in background! You don't need to send any password to HTTP server - just tell the server: "yes, I'm a happy Jabber user!" and everything else will happen automatically.

Project
This page is dedicated to Summer of Code 2006 project, which aims to implement XEP-0070 in a way described above. The components include:
 * Firefox extension: It will understand server's offer to use this protocol and provide all data needed to start the authentication (like user's JID). At the same time, it will act as invisible XMPP client, which will automatically confirm the requests: this way, the only user action to authenticate will be to provide their JID
 * Apache HTTPD module: It will ask user for their JID, pass it to XMPP server and then serve the requested resource (or not, if confirmation fails ;) )
 * XMPP server component: It will will ask user to confirm the request made to HTTP server.

Why would users like this?
Any way to reduce the number of passwords needed to be remembered is a blessing for a user. There are many methods to achieve this, but only solution described here has this unique combination of features:


 * same info everywhere : simply provide the same JID for every site: this can compete even with so widely used, so unsecure same-password-everywhere technique
 * same power everywhere : your XMPP account becomes a universal key, which is always with you
 * no passwords on the wire : there are no passwords at all
 * one click to authenticate : just send your JID to HTTP server (your XMPP-enabled browser will confirm your requests)

Project status
Project news and weekly reports are available on the official website.

Quick overview

 * Psi patch : submitted
 * jautod (XMPP component) : Version 0.2 released!
 * Apache module: Version 0.1 released!
 * Firefox jauto extension: Version 0.1 released!
 * Jabberzilla patch: Version 0.1 released!

Progress

 * Week 1
 * general: Reading docs, setting up wiki, etc.
 * Week 2
 * psi: Displays incoming requests.
 * jautod: Sends request as a reply to a message (just for testing Psi).
 * XEP-0070: Prepared draft changes and sent do XEP Editor.
 * Week 3
 * psi: Improved stanza error handling.
 * psi: Patch is almost finished.
 * Apache: Reading docs.
 * Week 4
 * general: Some work delayed due to my personal problems...
 * jautod: 50% complete.
 * Week 5
 * jautod: Mostly finished, needs some clean up and writing docs.
 * psi: Fixed some bugs found while testing with jautod.
 * Week 6
 * psi: Patch submitted!
 * jautod: Version 0.1 released!
 * Apache: Got general idea what needs to be done.
 * Week 7
 * Apache: Looks like it works, but needs some polishing.
 * Week 8
 * general: Trying to survive the heat wave.
 * Firefox: Reading, reading, reading docs.
 * Week 9
 * Apache: Finished.
 * Jabberzilla Getting used to the code, etc.
 * Week 10
 * Jabberzilla: Incoming confirmation request are understood.
 * Firefox ext: Really much thinking and inventing!
 * Week 11
 * Jabberzilla: Lost 3 days to find a stupid mistake; looks like finished.
 * Firefox ext: Works.
 * Week 12
 * general: Testing, fixing, etc
 * Week 13
 * general: Cleanup, docs, packages, etc