ProtoXEP: Pre-Authenticated In-Band Registration

This commit is contained in:
Georg Lukas 2020-10-28 21:00:10 +01:00
parent 48018afe1b
commit 414ba1d860
1 changed files with 193 additions and 0 deletions

inbox/ibr-token.xml Normal file
View File

@ -0,0 +1,193 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
<!ENTITY % ents SYSTEM 'xep.ent'>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<title>Pre-Authenticated In-Band Registration</title>
<abstract>This document extends the In-Band-Registration protocol to use
invitation tokens, e.g. for registering accounts on non-public
<type>Standards Track</type>
<spec>XMPP Core</spec>
<remark>First version based on XEP-0401.</remark>
<section1 topic='Introduction' anchor='intro'>
<p>There are two typical mechanisms to register an account on an XMPP server:</p>
<li>Out-of-band account creation, after which the account JID and password
need to be manually entered into an XMPP client, and</li>
<li>&xep0077; (IBR) where an account is created and fully configured right
from the XMPP client.</li>
<p>The IBR mechanism is much more convenient for users, but also opens up
the server to abuse, e.g. due to the mass-registration of spam bot
accounts. Captchas, while heavily impacting well-intentioned users, are
not a reliable mechanism to prevent abuse. This specification allows to
restrict the IBR mechanism by requiring a registration token, e.g. for
giving users access to a private server, without exposing their password
to the server administrator.</p>
<p>This specification is part of a series of documents aiming at improving
user onboarding:</p>
<li>&xep0379; to automatically accept roster subscriptions based on a
<li>&xep0401; to generate tokens that can be used for authenticating IBR.</li>
<p>While this specification is designed to work together with &xep0401;, it
can be used with invitation tokens obtained by any other mechanism. XMPP
URIs can then be used out-of-band to deliver the invitation to a new user.</p>
<p>A client that obtains such an XMPP URI should allow the user to register
an XMPP account with the server that generated the URI.</p>
<section1 topic='Use Cases'>
<p>A client that implements this specification needs to understand the
&xep0147; specification, to make use of the <tt>register</tt> query
action and the <tt>preauth</tt> parameter. Three URI formats
are defined.</p>
<section2 topic="Registration with pre-defined account name">
<p>An invitation to register an account can contain a specific XMPP
address (with a pre-defined user account name) to be registered. A
client should populate the address field in the IBR dialog with this
address and disallow changing the address.</p>
<code caption="Registration URI with pre-defined account name">;preauth=TOKEN</code>
<section2 topic="Registration on a server">
<p>An invitation to register an account can contain just the server domain
to register on. A client should populate the address field in the IBR
dialog with this domain and allow entering the desired account name.</p>
<code caption="Registration URI without account name">;preauth=TOKEN</code>
<section2 topic="Contact Invitation with IBR">
<p>A contact invitation with a registration token (&xep0379;) might
indicate that the token can also be used to register an account on that
server (<tt>ibr=y</tt>). If the receiving client already has an account
configured, it may skip account registration and simply add the contact
as defined in <cite>XEP-0379</cite>. The client may also register a new
account on the domain of the proposed contact, allowing the user to
enter the desired account name.</p>
<code caption="Contact URI with Pre-Authenticated IBR support">;preauth=TOKEN;ibr=y</code>
<section1 topic='Discovery' anchor='discover'>
<p>While a registration URI is an indication that the respective server
supports Pre-Authenticated IBR, a URI might be manipulated and is not
guaranteed to be reliable.</p>
<p>Therefore, when performing the account creation, the client needs to
ensure that the server supports the Pre-Authenticated IBR protocol, as denoted by
the <strong>&lt;register xmlns='urn:xmpp:invite'></strong>
stream feature:</p>
<example caption="Stream features of a server that accepts invitations"><![CDATA[
<mechanisms xmlns='urn:xmpp:sasl:0'>
<register xmlns='urn:xmpp:invite'/>
<register xmlns=''/>
<section1 topic='Pre-Authenticated In-Band Registration' anchor='preauth-ibr'>
<p>In order to allow invited users to register on a server, the
registration processs as defined in &xep0077; needs to be extended. The
invited user's client needs to connect to the server and check that the
invitation stream feature
(<strong>&lt;register xmlns='urn:xmpp:invite'></strong>) is present.
After that, the client initiates the registration flow by sending the
preauth token to the server:</p>
<example caption="Client initiates pre-authenticated IBR"><![CDATA[
<iq type='set' to='' id='pa1'>
<preauth xmlns='urn:xmpp:pars:0' token='TOKEN' />
<p>Upon receiving the preauth request, the server must validate that the
token is acceptable for account registration. However, single-use tokens
MUST NOT be considered used until the actual registration has succeeded.
<p>In addition, if the token has an expiration time, it MUST only be
checked at this point. Subsequent actions performed by the client during
the current session that require a valid token MUST NOT be rejected due
to token expiry.
<p>If the token is acceptable, the server responds with success, and
indicates the client may now proceed with account registration:
<example caption="Server accepts invitation token"><![CDATA[
<iq type='result' from='' id='pa1' />
<p>If the token provided by the client was unknown, invalid or expired, the
server should return an appropriate error to the client:</p>
<example caption="Server rejects invitation token"><![CDATA[
<iq type="error" from="" id="pa1">
<error type='cancel'>
<item-not-found xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
<text>The provided token is invalid or expired</text>
<p>In the success case, the client proceeds with registration as defined in
&xep0077;. If the token is rejected by the server, the client still MAY
attempt to perform IBR if the server allows that.</p>
<section1 topic='Business Rules' anchor='rules'>
<p>If a username was specified when creating an invitation token, the
server SHOULD NOT create an account on the server until the invitee
actually registers it with the corresponding token.
The server MUST reserve the username at least until the corresponding
token expires.</p>
<section1 topic='Implementation Notes' anchor='impl'>
<section2 topic='XMPP Server Suggestion for Invitees'>
<p>If the invitee opens an invitation URI with <strong>ibr=y</strong> and
chooses to create a new account, the client SHOULD pre-fill the
inviter JID's domain part as the new account's domain. The client MAY
provide a mechanism to enter or choose a different server, though.</p>
<section1 topic='Security Considerations' anchor='security'>
<p>See security considerations in &xep0379;.</p>
<section1 topic='IANA Considerations' anchor='iana'>
<p>This document requires no interaction with &IANA;.</p>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
<p>This document only makes use of the XMPP URI elements defined in
<section1 topic='XML Schema' anchor='schema'>
<p>REQUIRED for protocol specifications.</p>