<abstract>This specification defines a way for an XMPP servers to deliver information for use in push notifications to mobile and other devices.</abstract>
<p>The purpose of push notifications is to inform users of new messages or other pertinent information even when they have no XMPP clients online.</p>
<p>Typically, these notifications are delivered to a user's mobile device, displaying a notice that can trigger opening an XMPP client to continue a conversation or answer a Jingle session request.</p>
<p>There have been several push notification implementations by mobile XMPP client vendors. However, experience has shown that these implementations carried several drawbacks:</p>
<li>Treated the XMPP client and XMPP server as one unified service, such that push notifications only worked using the "official" client.</li>
<li>Proxied a user's session through the client provider's backend services in order to monitor for and trigger push notifications.</li>
</ul>
<p>The goal for this document is to make the generalized case possible, whereby a user may use their XMPP client of choice with their own server of choice. The requirements are thus:</p>
<ul>
<li>Allow XMPP servers to support push notifications to multiple client implementations, via multiple external or proprietary push services.</li>
<li>Allow clients to receive push notifications from multiple third-party XMPP servers.</li>
<li>Eliminate the need for clients to proxy a user's XMPP session in order to enable push notifications.</li>
<pclass='em'>Note: Any publish-subscribe use cases not described herein are described in &xep0060;. Also, this document does not show error flows related to the generic publish-subscribe use cases referenced herein, since they are exhaustively defined in <cite>XEP-0060</cite>. The reader is referred to <cite>XEP-0060</cite> for all relevant protocol details related to the XMPP publish-subscribe extension. This document merely defines a "subset" or "profile" of XMPP publish-subscribe.</p>
<section1topic='Concepts and Approach'anchor='concepts'>
<p>XMPP Push works between the user's XMPP server and two push notification services in tandem:</p>
<ol>
<li>The user's XMPP server publishes notifications to the XMPP Push Service of each of the user's client applications.</li>
<li>The XMPP Push Service (as defined here) for a client application then delivers the notification to a third-party notification delivery service.</li>
<li>The third-party (and potentially proprietary or platform-dependent) push service delivers the notification from the client application's backend service to the user's device.</li>
<p>This two-tiered push architecture allows the user's XMPP server to deliver notifications to arbitrary third-party clients, and in turn allows those clients to use the appropriate delivery mechanism for their platforms without having to share any private keys or other credentials with the XMPP server.</p>
<section2topic='General Architecture of a Push Notification Service'anchor='general-architecture'>
<p>The current state-of-the-art for a generic push notification service requires four actors:</p>
<dl>
<di>
<dt>App Client</dt>
<dd>The app client is the software installed and ran by the user, and is the final receiver of a push notification.</dd>
</di>
<di>
<dt>App Server</dt>
<dd>The app server is a backend service for the app client. At minimum, the app server exists to trigger push notifications, but it often also performs business logic for the app.</dd>
</di>
<di>
<dt>User Agent</dt>
<dd>The user agent is a service running locally on the user's device which receives push notifications and delivers them to the appropriate application.</dd>
<dd>The push service ferries notifications from the App Server to the User Agent. How it does so is often proprietary and vendor/platform dependent.</dd>
<p>An XMPP Push Service is a PubSub service as defined by the XMPP <cite>XEP-0060</cite> extension. The functional difference between a Push Service and a generic pubsub service is that a Push Service will generally summarize and forward published content via non-XMPP mechanisms.</p>
<pclass='em'>Note: a Push Service is provided by a specific client application as part of the App Server. A user's XMPP server will typically <em>not</em> act as a Push Service itself, but will instead publish to the Push Services for the user's client applications.</p>
<section2topic='Recommended Defaults'>
<p>A Push Service MUST:</p>
<ul>
<li>Support the 'whitelist' access model and set it to the default.</li>
<li>Support the 'publish-only' affiliation.</li>
</ul>
</section2>
<section2topic='Business Rules'>
<p>Each PubSub node is a delivery target for the Push Service, which could represent multiple devices for a single user.</p>
<p>In order to prevent information leaks, each node SHOULD be configured with a 'whitelist' access model so that only trusted entities are able to view or subscribe to published notifications. Furthermore, the 'publish-only' affiliation SHOULD be used to allow acceptable entities (such as the server JID and the user's bare JID) to publish to the node to trigger notifications.</p>
<p>Care SHOULD be taken to ensure that publish requests are coming from the user's server and not from other third-party client applications using the full JID of a user. A Push Service MAY opt to only accept or further process publish requests from server JIDs and bare user JIDs to ensure that only a user's server is able to publish, but it SHOULD instead use publish options with credentials shared only with the user's server (see <linkurl='#enabling'>Enabling Notifications</link>).</p>
<p>Before enabling or disabling push services, a client SHOULD determine whether the user's server supports publishing push notifications; to do so, it MUST send a &xep0030; information quest to the user's bare JID:</p>
<examplecaption='Client queries server regarding protocol support'><![CDATA[
<p>If the user's server supports publishing push notifications and the account is provisioned to allow them, the server MUST include the feature 'urn:xmpp:push:0' in its list of supported features.</p>
<p>If a service supports the XMPP Push Service publish-subscribe profile described herein, it MUST include an identity of "pubsub/push" in "disco#info" results.</p>
<examplecaption='Service identifies as a Push Services'><![CDATA[
<p>The full process for enabling notifications requires initializing two separate push services: between the App Client and App Server, and between the App Server and the user's XMPP server.</p>
<pclass='em'>Note: It is assumed that an App Client is able to perform any registration procedures it requires to bootstrap its own preferred push notification system. Furthermore, it is assumed that the App Client or App Server is able to provision a node on its own XMPP Push Service. It is possible, but not required, to perform these actions over XMPP using &xep0077;.</p>
<ol>
<li>The App Client performs any necessary bootstrapping and registration for its preferred push service.</li>
<li>The App Client registers itself with the App Server.</li>
<li>The App Server allocates or reuses a node on the App Server's XMPP Push Service.</li>
<li>The App Server informs the App Client of the provisioned node, along with any additional parameters required for publishing to that node.</li>
<li>The App Client requests the XMPP server to publish notifications to the given node.</li>
</ol>
<examplecaption='The full flow of enabling push notifications for an application'><![CDATA[
<p>For the last step, the App Client sends an IQ-set to the user's bare JID with an <enable /> element qualified by the 'urn:xmpp:push:0' namespace, which MUST contain a 'jid' attribute of the XMPP Push Service being enabled. It SHOULD contain a 'node' attribute which is set to the provisioned node specified by the App Server.</p>
<p>An App Server MAY require additional information to be provided with each published notification, such as authentication credentials. These parameters are included in the enable request by adding a &xep0004; data form with a FORM_TYPE of 'http://jabber.org/protocol/pubsub#publish-options'.</p>
<p>The JID for a Push Service MAY be enabled multiple times for a user only if different node values are provided. If the combination of JID and node has already been enabled, then the server SHOULD use the last received request for any publish options.</p>
<p>If the user decides to stop push notifications for a particular client application, the App Client SHOULD send an IQ-set to the user's bare JID with a <disable /> element qualified by the 'urn:xmpp:push:0' namespace, which MUST include a 'jid' attribute of the service to be removed.</p>
<examplecaption='Disabling all notifications to a given service'><![CDATA[
<p>A 'node' attribute MAY be included to remove a particular JID and node combination if multiple nodes have been enabled for a single service JID.</p>
<p>If a 'node' attribute is provided, then only that combination of JID and node SHOULD be removed from the set of enabled services. Otherwise, the server SHOULD disable all enabled entries for the specified service for the user.</p>
<p>When a service is not enabled, the server MUST NOT attempt publishing notifications to the service.</p>
<p>When the user's server detects an event warranting a push notification, it performs a PubSub publish to all XMPP Push Services registered for the user, where the item payload is a <notification /> element in the 'urn:xmpp:push:0' namespace.</p>
<p>A &xep0004; data form whose FORM_TYPE is 'urn:xmpp:push:summary' MAY be included to provide summarized information such as the number of unread messages or number of pending subscription requests.</p>
<p>If a publish request is returned with an IQ-error, then the server SHOULD consider the particular JID and node combination to be disabled.</p>
<p>However, a server MAY choose to keep a service enabled if the error is deemed recoverable or transient, until a sufficient number of errors have been received in a row.</p>
<p>Once the notification has been published to the XMPP Push Service, it is left to the implementation how to deliver the notification to the user's device. However, the general flow for the process looks like so:</p>
<examplecaption='The full path of a push notification, from XMPP server to user client'><![CDATA[
<p>It can be desirable for an XMPP Push Service to stop accepting notifications from the user's XMPP server. To do so, the XMPP Push Service removes the 'publish-only' (or other publish-enabling affiliation) from the user's JID, and MAY send an affiliation change notice to the user's bare JID:</p>
<p>Upon receiving an affiliation change event, the server MAY remove the received JID and node combination from the set of enabled services. If a server does not do so, then the service will be removed from the enabled set through the error handling process.</p>
<p>Push notifications require routing private information, such as message bodies, through third parties. As such, servers SHOULD allow users to limit the information sent via push notifications.</p>
<p>It is NOT RECOMMENDED to allow in-band modification of push notification content settings. Such operations SHOULD be done out-of-band to prevent privilege escalation.</p>
<p>&xep0068; defines a process for standardizing the fields used within Data Forms scoped by a particular namespace, and the XMPP Registrar maintains a registry of such FORM_TYPES (see &FORMTYPES;).</p>
<p>The XMPP Registrar includes a category of "component" in its registry of Service Discovery identities (see &DISCOCATEGORIES;); as a result of this document, the Registrar includes a type of "jidprep" to that category.</p>