<abstract>This document defines a protocol and URI scheme for pre-authenticated roster links that allow a third party to automatically obtain the user's presence subscription. The goal of this is to make onboarding of new XMPP IM contacts as easy as possible.</abstract>
<legal>
<copyright>This XMPP Extension Protocol is copyright (c) 1999 - 2016 by the XMPP Standards Foundation (XSF).</copyright>
<permissions>Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the "Specification"), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.</permissions>
<warranty>## NOTE WELL: This Specification is provided on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. In no event shall the XMPP Standards Foundation or the authors of this Specification be liable for any claim, damages, or other liability, whether in an action of contract, tort, or otherwise, arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification. ##</warranty>
<liability>In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising out of the use or inability to use the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.</liability>
<conformance>This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which may be found at <<linkurl='http://xmpp.org/extensions/ipr-policy.shtml'>http://xmpp.org/extensions/ipr-policy.shtml</link>> or obtained by writing to XSF, P.O. Box 1641, Denver, CO 80201 USA).</conformance>
If the "preauth" parameter is present, the processing client is supposed
not only to add the user to the roster, but also to automatically send a
subscription request containing the authentication token.
</p>
<p></p>
<p><strong>Server-side implementation:</strong> it is
possible (but out-of-scope for this document), to let the user's server
handle generation of links as well as automatic approval of qualified
subscription requests. This requires an additional mechanism to query the
server for new (and possibly also for pending) invitation links.</p>
</section2>
<section2topic='Out-of-band transmission and presentation of the link'anchor='link_transmission'>
<p>As Romeo doesn't know Juliet's JID in advance, he needs to use an out-of-band method (like e-mail, QR codes or NFC) to transmit the invitation link to Juliet. While these methods allow transmission of <strong>xmpp:</strong> URIs, there is no mechanism to ensure that Juliet actually has a client installed that can open the URI.</p>
<p>One way to solve this problem is to present Juliet with a web-based landing page that contains the following elements:</p>
<ul>
<li>A short text that this is an XMPP invitation from Romeo.</li>
<li>A client recommendation (based on the detected web browser) with download links.</li>
<li>A prominent button that activates the actual <strong>xmpp:</strong> link.</li>
</ul>
<p>There are multiple options where such a landing page could be hosted:</p>
<ol>
<li><strong>XSF:</strong> a central place would provide a common ground
for a curated client list and ensure long-term availability. However,
the operator would be able to collect meta-data and abuse authentication tokens.</li>
<li><strong>Client developer:</strong> the developer of Romeo's client can
provide a landing page for invitation requests created with this
client. This is a feasible short-term solution and allows to recommend
the same client as used by the link sender. However, it shares the
privacy objections of the XSF solution and can not guarantee
long-term availability of the service. If the client development shuts
down, invitation links created with the client will cease working.</li>
<li><strong>User's server:</strong> this is the optimal long-term
solution, as the user's server is already entrusted with the relevant
meta-data and will exist at least as long as the user's account on that
server. However, this requires an additional server component to query
for invitation URIs and a web server hosting the landing page.
Furthermore, the server operator needs to maintain the list of
recommended clients.</li>
</ol>
<examplecaption='Developer-Hosted Landing Page Generated with yaxim'><