HTTP-Auth suite

Jump to navigation Jump to search
project info
HTTP-Auth suite

Summer of Code 2006 project

Maciej Niedzielski (machekku)
Jacek Konieczny
XEP-0070 client/server implementation

(skip intro)

Do you remember your last time working on a new machine, typing thousands of passwords on every website you wanted to visit? "it's me again, I said it a moment ago...." Wouldn't it be wonderful if you could authenticate once and then just say "yes, it's me again, I'd like to talk with you now..."?

Talk...? Talking is one of the most popular ways of using the Internet. But - for some reason - you don't need to provide your password every time you want to talk with another person. Somehow they know that it's you. So why HTTP servers do not know? And why not to teach them how to do this?

There already exists a protocol (XEP-0070) which enables HTTP server to verify HTTP requests via XMPP. It describes how HTTP server can take advantage on strong authentication provided by XMPP and just simply associate unknown (until now) user clicking a link in browser with a well-known and "well-authenticated" XMPP user.

And now, imagine that your browser acts like an (invisible) XMPP client. Sure, it will need to know your password, but this is just one password (and it's not same-password-everywhere solution!). In exchange for this one password, your XMPP-enabled HTTP browser could automatically confirm all your HTTP requests in background! You don't need to send any password to HTTP server - just tell the server: "yes, I'm a happy XMPP user!" and everything else will happen automatically.


This page is dedicated to Summer of Code 2006 project, which aims to implement XEP-0070 in a way described above. The components include:

  • Firefox extension: It will understand server's offer to use this protocol and provide all data needed to start the authentication (like user's JID). At the same time, it will act as invisible XMPP client, which will automatically confirm the requests: this way, the only user action to authenticate will be to provide their JID
  • Apache HTTPD module: It will ask user for their JID, pass it to XMPP server and then serve the requested resource (or not, if confirmation fails ;) )
  • XMPP server component: It will will ask user to confirm the request made to HTTP server.

Why would users like this?

Any way to reduce the number of passwords needed to be remembered is a blessing for a user. There are many methods to achieve this, but only solution described here has this unique combination of features:

same info everywhere
simply provide the same JID for every site: this can compete even with so widely used, so unsecure same-password-everywhere technique
same power everywhere
your XMPP account becomes a universal key, which is always with you
no passwords on the wire
there are no passwords at all
one click to authenticate
just send your JID to HTTP server (your XMPP-enabled browser will confirm your requests)

Project status

Project news and weekly reports are available on the official website.

Quick overview

Psi patch
jautod (XMPP component)
Version 0.2 released!
Apache module
Version 0.1 released!
Firefox jauto extension
Version 0.1 released!
Jabberzilla patch
Version 0.1 released!



File:SoC2006 HttpAuth early psi support.png