<remark>Expanded introduction, requirements, implementation notes, security concerns, and added server response use case.</remark>
</revision>
<revision>
<version>0.1</version>
<date>2003-06-25</date>
<initials>red</initials>
<remark>Initial version.</remark>
</revision>
</header>
<section1topic='Introduction'>
<p>Jabber Ticket Authentication is a method of authenticating with HTTP servers using your jabber identification.</p>
<p>This allows you to login to websites using your jabber address in a single sign-on fashion similar to .NET Passport, but unlike .NET Passport is not locked into a single authentication provider.</p>
<p>Tickets also mean the jabber ticket provider and the web server do not need to be tightly integrated for authentication to work, also because its not tightly integrated it means webmasters do not need to setup their own jabber server to provide tickets, they can use a third party provider even a central "tickets.jabber.org". Also because tickets are not tightly integrated it makes it far easier for webmasters to integrate with Jabber, it also makes web farms far more scalable and reliable.</p>
<li>To provide a method of using a jabber connections authenticated stream to provide a method of authenticating with an HTTP server.</li>
<li>To provide this authentication without needing the jabber ticket component and the webserver to be tightly coupled, this is essential in a web farm environment for scalability.</li>
<li>To make the communication between the jabber client and the server(s) as simple as possible.</li>
</ul>
</section1>
<section1topic='Use Cases'>
<section2topic='Client web browser window requests a Jabber Ticket Authentication protected web page'>
<examplecaption='Request for page'><![CDATA[
GET http://www.webserver.com/webpage.html HTTP/1.1]]></example>
<examplecaption='The server responds with a 401 and WWW-Authenticate header'><![CDATA[
<section2topic='Server responds and allows or denies access to the file'>
<examplecaption='Server allows access'><![CDATA[
200 OK HTTP/1.1
Content-Type: text/html]]></example>
<examplecaption='Server denies access'><![CDATA[
403 Forbidden HTTP/1.1]]></example>
</section2>
</section1>
<section1topic='Implementation Notes'>
<p>The following guidelines may assist developers.</p>
<ul>
<li>The ticket can be encrypted however the provider likes since only they will need to understand it.</li>
<li>The ticket must somewhere contain in it the JID of the end user (or some method of knowing who the user is), so that the webserver knows who it is.</li>
<li>It is recommended that your tickets also use an extra level of authentication such as ensuring the User-Agent is the same across requests, that the ip address is the same across requests.</li>
</ul>
</section1>
<section1topic='Security Considerations'>
<section2topic='Man in the middle'>
<p>This form of HTTP authentication is susceptable to man in the middle attack where the ticket could be captured and retransmitted by someone else, but this can be solved by using an encrypted jabber connection (e.g. HTTPS) and an HTTPS connection to the webserver.</p>
</section2>
<section2topic='Key length'>
<p>It is recommended the encryption key length for the ticket be long enough to make it hard to crack the ticket.</p>
</section2>
<section2topic='Ticket expiration'>
<p>It is recommended the ticket has an expiration and that it be between a few minutes and a few hours, e.g. 60 minutes.</p>
</section2>
</section1>
<section1topic='IANA Considerations'>
<p>The HTTP authentication scheme "JabberTicket" may need to be registered with IANA.</p>