Difference between revisions of "HTTP-Auth suite"

From XMPP WIKI
Jump to navigation Jump to search
m
 
m
 
Line 8: Line 8:
; Author: [[User:Machekku|Maciej Niedzielski (machekku)]]
; Author: [[User:Machekku|Maciej Niedzielski (machekku)]]
; Mentor: Jacek Konieczny
; Mentor: Jacek Konieczny
; Target: [http://xmpp.org/extensions/xep-0070.html XEP-0070] client/server implementation
; Target: [https://xmpp.org/extensions/xep-0070.html XEP-0070] client/server implementation
; Website: http://jauto.sourceforge.net/
; Website: http://jauto.sourceforge.net/
</div>
</div>
Line 19: Line 19:
Talk...? Talking is one of the most popular ways of using the Internet. But - for some reason - you don't need to provide your password every time you want to talk with another person. Somehow they know that it's you. So why HTTP servers do not know? And why not to teach them how to do this?
Talk...? Talking is one of the most popular ways of using the Internet. But - for some reason - you don't need to provide your password every time you want to talk with another person. Somehow they know that it's you. So why HTTP servers do not know? And why not to teach them how to do this?


There already exists a protocol ([http://xmpp.org/extensions/xep-0070.html XEP-0070]) which enables HTTP server to verify HTTP requests via XMPP. It describes how HTTP server can take advantage on strong authentication provided by XMPP and just simply associate unknown (until now) user clicking a link in browser with a well-known and "well-authenticated" XMPP user.
There already exists a protocol ([https://xmpp.org/extensions/xep-0070.html XEP-0070]) which enables HTTP server to verify HTTP requests via XMPP. It describes how HTTP server can take advantage on strong authentication provided by XMPP and just simply associate unknown (until now) user clicking a link in browser with a well-known and "well-authenticated" XMPP user.


And now, imagine that your browser acts like an (invisible) XMPP client. Sure, it will need to know your password, but this is just one password (and it's not same-password-everywhere solution!). In exchange for this one password, your XMPP-enabled HTTP browser could automatically confirm all your HTTP requests in background! You don't need to send any password to HTTP server - just tell the server: "''yes, I'm a happy Jabber user!''" and everything else will happen automatically.
And now, imagine that your browser acts like an (invisible) XMPP client. Sure, it will need to know your password, but this is just one password (and it's not same-password-everywhere solution!). In exchange for this one password, your XMPP-enabled HTTP browser could automatically confirm all your HTTP requests in background! You don't need to send any password to HTTP server - just tell the server: "''yes, I'm a happy XMPP user!''" and everything else will happen automatically.


== Project ==
== Project ==
This page is dedicated to [http://code.google.com/soc/ Summer of Code 2006] project, which aims to implement [http://xmpp.org/extensions/xep-0070.html XEP-0070] in a way described above.
This page is dedicated to [http://code.google.com/soc/ Summer of Code 2006] project, which aims to implement [https://xmpp.org/extensions/xep-0070.html XEP-0070] in a way described above.
The components include:
The components include:
* Firefox extension: It will understand server's offer to use this protocol and provide all data needed to start the authentication (like user's JID). At the same time, it will act as invisible XMPP client, which will automatically confirm the requests: this way, the only user action to authenticate will be to provide their JID
* Firefox extension: It will understand server's offer to use this protocol and provide all data needed to start the authentication (like user's JID). At the same time, it will act as invisible XMPP client, which will automatically confirm the requests: this way, the only user action to authenticate will be to provide their JID
Line 54: Line 54:
** [http://jauto.sourceforge.net/subprojects/psi-jauto/ psi]: Displays incoming requests.
** [http://jauto.sourceforge.net/subprojects/psi-jauto/ psi]: Displays incoming requests.
** [http://jauto.sourceforge.net/subprojects/jautod/ jautod]: Sends request as a reply to a message (just for testing Psi).
** [http://jauto.sourceforge.net/subprojects/jautod/ jautod]: Sends request as a reply to a message (just for testing Psi).
** [http://xmpp.org/extensions/xep-0070.html XEP-0070]: Prepared draft changes and sent do XEP Editor.
** [https://xmpp.org/extensions/xep-0070.html XEP-0070]: Prepared draft changes and sent do XEP Editor.
* [http://jauto.sourceforge.net/2006/06/12/week-3/ Week 3]  
* [http://jauto.sourceforge.net/2006/06/12/week-3/ Week 3]  
** [http://jauto.sourceforge.net/subprojects/psi-jauto/ psi]: [http://listserver.dreamhost.com/pipermail/psi-devel-affinix.com/2006-June/005726.html Improved stanza error handling.]
** [http://jauto.sourceforge.net/subprojects/psi-jauto/ psi]: [http://listserver.dreamhost.com/pipermail/psi-devel-affinix.com/2006-June/005726.html Improved stanza error handling.]
Line 99: Line 99:
== References ==
== References ==
* [http://jauto.sourceforge.net/ Official Website of the project]
* [http://jauto.sourceforge.net/ Official Website of the project]
* [http://xmpp.org/extensions/xep-0070.html XEP-0070]
* [https://xmpp.org/extensions/xep-0070.html XEP-0070]
* [http://machekku.uaznia.net/jabber/http-auth/soc2006_application.html my original Summer of Code application]
* [http://machekku.uaznia.net/jabber/http-auth/soc2006_application.html my original Summer of Code application]


[[Category:Summer of Code 2006]]
[[Category:Summer of Code 2006]]

Latest revision as of 00:59, 18 December 2020

project info
HTTP-Auth suite

Summer of Code 2006 project

Author
Maciej Niedzielski (machekku)
Mentor
Jacek Konieczny
Target
XEP-0070 client/server implementation
Website
http://jauto.sourceforge.net/

(skip intro)

Do you remember your last time working on a new machine, typing thousands of passwords on every website you wanted to visit? "it's me again, I said it a moment ago...." Wouldn't it be wonderful if you could authenticate once and then just say "yes, it's me again, I'd like to talk with you now..."?

Talk...? Talking is one of the most popular ways of using the Internet. But - for some reason - you don't need to provide your password every time you want to talk with another person. Somehow they know that it's you. So why HTTP servers do not know? And why not to teach them how to do this?

There already exists a protocol (XEP-0070) which enables HTTP server to verify HTTP requests via XMPP. It describes how HTTP server can take advantage on strong authentication provided by XMPP and just simply associate unknown (until now) user clicking a link in browser with a well-known and "well-authenticated" XMPP user.

And now, imagine that your browser acts like an (invisible) XMPP client. Sure, it will need to know your password, but this is just one password (and it's not same-password-everywhere solution!). In exchange for this one password, your XMPP-enabled HTTP browser could automatically confirm all your HTTP requests in background! You don't need to send any password to HTTP server - just tell the server: "yes, I'm a happy XMPP user!" and everything else will happen automatically.

Project

This page is dedicated to Summer of Code 2006 project, which aims to implement XEP-0070 in a way described above. The components include:

  • Firefox extension: It will understand server's offer to use this protocol and provide all data needed to start the authentication (like user's JID). At the same time, it will act as invisible XMPP client, which will automatically confirm the requests: this way, the only user action to authenticate will be to provide their JID
  • Apache HTTPD module: It will ask user for their JID, pass it to XMPP server and then serve the requested resource (or not, if confirmation fails ;) )
  • XMPP server component: It will will ask user to confirm the request made to HTTP server.

Why would users like this?

Any way to reduce the number of passwords needed to be remembered is a blessing for a user. There are many methods to achieve this, but only solution described here has this unique combination of features:

same info everywhere
simply provide the same JID for every site: this can compete even with so widely used, so unsecure same-password-everywhere technique
same power everywhere
your XMPP account becomes a universal key, which is always with you
no passwords on the wire
there are no passwords at all
one click to authenticate
just send your JID to HTTP server (your XMPP-enabled browser will confirm your requests)

Project status

Project news and weekly reports are available on the official website.

Quick overview

Psi patch
submitted
jautod (XMPP component)
Version 0.2 released!
Apache module
Version 0.1 released!
Firefox jauto extension
Version 0.1 released!
Jabberzilla patch
Version 0.1 released!

Progress




Screenshots

File:SoC2006 HttpAuth early psi support.png

References