diff --git a/inbox/ibr-token.xml b/inbox/ibr-token.xml new file mode 100644 index 00000000..b5b512e7 --- /dev/null +++ b/inbox/ibr-token.xml @@ -0,0 +1,193 @@ + + +%ents; +]> + + +
+ Pre-Authenticated In-Band Registration + This document extends the In-Band-Registration protocol to use + invitation tokens, e.g. for registering accounts on non-public + servers. + + &LEGALNOTICE; + xxxx + ProtoXEP + Standards Track + Standards + Council + + XMPP Core + XEP-0077 + XEP-0147 + XEP-0379 + XEP-0401 + + + + ibr-token + + Georg + Lukas + + + 0.1.0 + 2020-10-28 + gl + First version based on XEP-0401. + +
+ +

There are two typical mechanisms to register an account on an XMPP server:

+ +

The IBR mechanism is much more convenient for users, but also opens up + the server to abuse, e.g. due to the mass-registration of spam bot + accounts. Captchas, while heavily impacting well-intentioned users, are + not a reliable mechanism to prevent abuse. This specification allows to + restrict the IBR mechanism by requiring a registration token, e.g. for + giving users access to a private server, without exposing their password + to the server administrator.

+

This specification is part of a series of documents aiming at improving + user onboarding:

+ +

While this specification is designed to work together with &xep0401;, it + can be used with invitation tokens obtained by any other mechanism. XMPP + URIs can then be used out-of-band to deliver the invitation to a new user.

+

A client that obtains such an XMPP URI should allow the user to register + an XMPP account with the server that generated the URI.

+
+ + +

A client that implements this specification needs to understand the + &xep0147; specification, to make use of the register query + action and the preauth parameter. Three URI formats + are defined.

+ +

An invitation to register an account can contain a specific XMPP + address (with a pre-defined user account name) to be registered. A + client should populate the address field in the IBR dialog with this + address and disallow changing the address.

+ xmpp:juliet@example.com?register;preauth=TOKEN +
+ + +

An invitation to register an account can contain just the server domain + to register on. A client should populate the address field in the IBR + dialog with this domain and allow entering the desired account name.

+ xmpp:example.com?register;preauth=TOKEN +
+ + +

A contact invitation with a registration token (&xep0379;) might + indicate that the token can also be used to register an account on that + server (ibr=y). If the receiving client already has an account + configured, it may skip account registration and simply add the contact + as defined in XEP-0379. The client may also register a new + account on the domain of the proposed contact, allowing the user to + enter the desired account name.

+ xmpp:romeo@example.com?roster;preauth=TOKEN;ibr=y +
+
+ + +

While a registration URI is an indication that the respective server + supports Pre-Authenticated IBR, a URI might be manipulated and is not + guaranteed to be reliable.

+

Therefore, when performing the account creation, the client needs to + ensure that the server supports the Pre-Authenticated IBR protocol, as denoted by + the <register xmlns='urn:xmpp:invite'> + stream feature:

+ + + EXTERNAL + SCRAM-SHA-1-PLUS + SCRAM-SHA-1 + PLAIN + + + + +]]> +
+ +

In order to allow invited users to register on a server, the + registration processs as defined in &xep0077; needs to be extended. The + invited user's client needs to connect to the server and check that the + invitation stream feature + (<register xmlns='urn:xmpp:invite'>) is present. + After that, the client initiates the registration flow by sending the + preauth token to the server:

+ + + +]]> +

Upon receiving the preauth request, the server must validate that the + token is acceptable for account registration. However, single-use tokens + MUST NOT be considered used until the actual registration has succeeded. +

+

In addition, if the token has an expiration time, it MUST only be + checked at this point. Subsequent actions performed by the client during + the current session that require a valid token MUST NOT be rejected due + to token expiry. +

+

If the token is acceptable, the server responds with success, and + indicates the client may now proceed with account registration: +

+ +]]> +

If the token provided by the client was unknown, invalid or expired, the + server should return an appropriate error to the client:

+ + + + The provided token is invalid or expired + + +]]> +

In the success case, the client proceeds with registration as defined in + &xep0077;. If the token is rejected by the server, the client still MAY + attempt to perform IBR if the server allows that.

+
+ +

If a username was specified when creating an invitation token, the + server SHOULD NOT create an account on the server until the invitee + actually registers it with the corresponding token. + The server MUST reserve the username at least until the corresponding + token expires.

+
+ + +

If the invitee opens an invitation URI with ibr=y and + chooses to create a new account, the client SHOULD pre-fill the + inviter JID's domain part as the new account's domain. The client MAY + provide a mechanism to enter or choose a different server, though.

+
+
+ +

See security considerations in &xep0379;.

+
+ +

This document requires no interaction with &IANA;.

+
+ +

This document only makes use of the XMPP URI elements defined in + &xep0401;

+
+ +

REQUIRED for protocol specifications.

+
+