What's the current state of XMPP and OpenID Connect?
Uncategorized
9
Posts
3
Posters
0
Views
-
What's the current state of XMPP and OpenID Connect? My web search returned that ejabberd is still considering if and how to implement and Prosody has experimental alpha-stage support via a module. I couldn't find anything conclusive in regards to XMPP clients. What's with Gajim(?) and Conversations? Or other clients? Are there any web clients supporting OIDC?
-
What's the current state of XMPP and OpenID Connect? My web search returned that ejabberd is still considering if and how to implement and Prosody has experimental alpha-stage support via a module. I couldn't find anything conclusive in regards to XMPP clients. What's with Gajim(?) and Conversations? Or other clients? Are there any web clients supporting OIDC?
@fluchtkapsel the answer depends a bit on what you are trying to achieve. Authenticate against a third party? Throw the password away and log in with a session cookie? Give access to third parties to data on the XMPP server?
We do the session tokens with FAST.
Prosody has some support for giving third parties access to (scoped) data on the XMPP server and clients (Conversations and Gajim) aren't involved here. -
@fluchtkapsel the answer depends a bit on what you are trying to achieve. Authenticate against a third party? Throw the password away and log in with a session cookie? Give access to third parties to data on the XMPP server?
We do the session tokens with FAST.
Prosody has some support for giving third parties access to (scoped) data on the XMPP server and clients (Conversations and Gajim) aren't involved here.@daniel I have Keycloak running and ponder if I want to go for Prosody again but authenticating against Keycloak this time. This means, users are created and managed in Keycloak. My previous projects with Keycloak used OIDC for authentication. But the clients should be able to authenticate via OIDC otherwise this would be futile 🙂.
-
@daniel I have Keycloak running and ponder if I want to go for Prosody again but authenticating against Keycloak this time. This means, users are created and managed in Keycloak. My previous projects with Keycloak used OIDC for authentication. But the clients should be able to authenticate via OIDC otherwise this would be futile 🙂.
@fluchtkapsel Authenticating with oauth with a third party is not currently available. @mattj probably has the most insights into what steps we made into that direction yet.
Part of the problem is that we loose nice security features like channel binding by using web stuff.
-
@fluchtkapsel Authenticating with oauth with a third party is not currently available. @mattj probably has the most insights into what steps we made into that direction yet.
Part of the problem is that we loose nice security features like channel binding by using web stuff.
@daniel@gultsch.social @fluchtkapsel@nerdculture.de @mattj@floss.social Sure but if someone already uses external auth, being able to add xmpp to the stack would bring extra security features like global 2FA.
Here is my use case. I use LDAP for authentication and currently in the process of adding keycloak for oidc. XMPP at this point needs to stay with LDAP only, while it would be an added feature for me if it would support openid
-
@daniel@gultsch.social @fluchtkapsel@nerdculture.de @mattj@floss.social Sure but if someone already uses external auth, being able to add xmpp to the stack would bring extra security features like global 2FA.
Here is my use case. I use LDAP for authentication and currently in the process of adding keycloak for oidc. XMPP at this point needs to stay with LDAP only, while it would be an added feature for me if it would support openid
@muppeth @mattj @fluchtkapsel Sticking with LDAP would at least on paper leave the door open for channel binding.
2FA could be added to XMPP w/o involving web stack stuff.
I'm not fundamentally opposed to oauth. I'm just pointing out that the use case of oauth is convenience rather than added security. If we implement it wrong me might even loose security (channel binding).
-
@fluchtkapsel Authenticating with oauth with a third party is not currently available. @mattj probably has the most insights into what steps we made into that direction yet.
Part of the problem is that we loose nice security features like channel binding by using web stuff.
-
@fluchtkapsel @mattj Channel Binding ensures that client and server are in the same TLS session by mixing in unique stuff from the session into the password handshake. This is basically MITM protection for the TLS layer.
For more information the search keywords would be: SASL, SCRAM and Channel binding. The XEP is just negotiation and boring wrt the security aspects.
-
@fluchtkapsel @mattj Channel Binding ensures that client and server are in the same TLS session by mixing in unique stuff from the session into the password handshake. This is basically MITM protection for the TLS layer.
For more information the search keywords would be: SASL, SCRAM and Channel binding. The XEP is just negotiation and boring wrt the security aspects.
@fluchtkapsel @mattj there is also this talk in German that explains my motivation behind my push towards channel binding:
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@GustavinoBevilacqua @ju ma non possiamo fare estinguere solo le teste di cazzo?
-
@foone «and it's not even new year»
-
@stefano And there we have proof that your posts are AI generated 😜
-
@gubi
Sempre detto che quello che va bene agli ucraini va bene anche a me.
Se vogliono combattere vanno sostenuti, se vogliono trattare vanno sostenuti.
I piani di invasione Russa ci sarebbero stati DI CERTO se avessimo abbozzato, come con l'annessione della Crimea, su tutta Ucraina.
Ora, per sfinimento Russia, FORSE Putin non si imbarcherà in altre guerre.
Non per ora almeno.
Ma farsi trovare impreparati sarebbe stupido.
Gli Ucraini lo erano, si eran fidati, e guarda dove sono.
-
@marcstir per dire che "liberarsi da un regime non è facile" dobbiamo vedere se è più facile vincere una guerra contro la prima potenza nucleare del mondo, con gli USA che prima ti fomentano nell'atlantismo per mandarti al macello e poi ti schiacciano cotto i piedi per farti accettare cessione di territorio. La difesa popolare nonviolenta, si basa sul principio che nessun popolo può essere dominato senza la partecipazione attiva del popolo invaso, e la noncollaborazione può far saltare un regime
-
@francina1909 Groenlandia?
Occhio ad aprire la finestra che ti ritrovi Trump all'uscio 🤣
-
@marcstir basta soffermarsi sullo spazio semantico infinito che separa i concetti di guerra e resistenza, sulle forme di resistenza non armata e nonviolenta alle invasioni, sugli studi scientifici sulla difesa civile, la difesa popolare e la prevenzione dei conflitti prima che diventino guerre. Altrimenti se "resistenza" diventa il vestito nobile che diamo alla solita guerra violenta, armata e tribale, non facciamo onore alla resistenza italiana, che fu anche rivolta popolare e civile.
-
@mariosiniscalchi prendo atto che adesso va bene anche una guerra finita da Putin senza integrità territoriale, bisognerebbe spiegarlo a quelli che si volevano riprendere anche la Crimea manu militari con la pelle degli ucraini e i soldi dei pacifisti, fregandosene di quello che esprimevano gli ucraini attraverso i #sondaggiucraina
Rilevo anche che non si parla più dei piani di invasione russa dell'Europa, quelli andavano millantati solo per giustificare una folle spesa bellica.
