Namespace Delegation

%ents; ]>

Namespace Delegation This specification provides a way for XMPP server to delegate treatments for a namespace to an other entity &LEGALNOTICE; 0355 Experimental Standards Track Standards Council XMPP Core XEP-0004 XEP-0297 NOT_YET_ASSIGNED Jérôme Poisson goffi@goffi.org goffi@jabber.fr 0.1 2014-12-18 XEP Editor (mam)

Initial published version approved by the XMPP Council.

0.0.1 2014-11-13 jp

First draft.

Some XMPP features must be offered by the server itself, or can't be available, that's the case of &xep0163; which is used in several places (e.g. bookmarks storage). But it can be desirable to use an external entity to manage some of these features, because it implements things that the server don't, or because it uses a special implementation useful in a particular case. Some people may also want to decentralize a feature on an entity under their control. This XEP try to solve these cases.
Additionaly, a method to do generic treatments (independent of server) on stanza is also provided.

This XEP is complementary to priviliged entity XEP (and works in a similar way), although they can be used together or separately.

Here are some use cases of namespace delegation:

use an external component for a PEP service because the server doesn't implement it or lacks some features
decentralize a server feature to an entity under client control
make a component which react on new user registration, independent of server implementation
server agnostic roster filtering

Namespace delegation can be used in two modes:

admin mode, where delegation is specified by the server administrator.
client mode, where it can be requested by any user.

In admin mode, the managing entity manages stanza of the delegated namespace for all users registered on the server. The namespace delegation MUST be totally transparent for the managed entities.

In client mode, a managing entity MUST have an explicit authorization for any namespace he wants to use. Client SHOULD be able to check and revoke granted permissions, and if it's not possible, permissions MUST be revoked after a disconnection.

Delegated namespace — the namespace being managed by an external entity.
Managing entity — the entity which actualy manages the delegated namespace.
Managed entity — an entity which wants to have a namespace of its server delegated to a managing entity.

Once the managing entity is authenticated and stream is started, the entity can request to manage a namespace. It does it by sending an &IQ; stanza with 'urn:xmpp:delegation:0' namespace. The &QUERY; element MUST have a type of value "request" and MAY have a 'delegation' attribute with the value "admin".

Namespace delegations are asked with a <delegate/> element, which MUST contain a 'namespace' attribute set to the requested namespace.

Only <iq/> stanza namespaces can be delegated.

]]>

If the server accepts the delegation (e.g.: namespace mapping specified in configuration), it MUST return an &IQ; result stanza, with allowed delegations in <delegate> elements:

]]>

Note: the granted delegations MAY be different from the requested ones, according to server's configuration.

The server MUST then forward all requests made to itself on this namespace to the managing entity, except the requests made by the managing entity itself (see below).
The server MUST NOT forward any request made to an other entity than itself or to a bare JID within its domain.

If the server rejects the delegation, it MUST return a &forbidden; error:

]]>

When a server receives a stanza for a delegated namespace which is either directed to him (no 'to' attribute, or 'to' attribute with its own JID), or directed to the bare JID of the sender (e.g. if 'from' attribute is "juliet@capulet.lit/balcony" and 'to' attribute is "juliet@capulet.lit"), it MUST forward it to the managing entity by replacing the 'to' attribute with the JID of the managing entity:

curse my nurse! ]]>

The server gets this stanza, sees that this namespace is delegated to pubsub.capulet.lit, so it forwards it:

curse my nurse! ]]>

The managing entity replies normally to the stanza:

]]>

Then the server MUST change the from field of managing entity to its own JID, and send the answer back to Juliet with the original &IQ; id.

]]>

The workflow is fully transparent for Juliet.

If a stanza is sent by the managing entity on a managed namespace, the server MUST NOT forward it. This way, the managing entity can use privileged entity to do special treatments.

In the following examples, juliet@capulet.lit has its "jabber:iq:roster" namespace delegated to filter.capulet.lit. filter.capulet.lit is a server agnostic component which filters allowed entities (which can be added to a roster), and sort them in enforced groups.

]]> ]]>

filter.capulet.lit accepts to add Romeo, but all JIDs with a montaigu.lit must be in a "Rivals" group, so it first returns a success result (Romeo is accepted).

]]> ]]>

At this stade, the entity is accepted, but not added to the roster. filter.capulet.lit is also a privileged entity which can manage "jabber:iq:roster", so it uses this ability to add Romeo in the enforced group:

Rivals ]]>

The namespace is delegated, but as the stanza is from the managing entity, the server manages it normally. The entity is also privileged, so it can change the stanza of Juliet, the server accepts:

]]>

The server will then send the roster pushes (with the enforced group) normally.

In client mode, the managing entity is not certified by the server administrator, so the delegation MUST be explicitly allowed by the managed entity. This is initiated by the managing entity (it can be after an interaction with a managed entity, like a subscription). It's done in the same way as for admin mode with the following exceptions:

the delegation type is client instead of admin
the delegation is done per entity, so the managed entity MUST be specified in a 'to' attribute

If an entity want to manage PEP service for Juliet, it can ask the delegation like this:

]]>

Once received the delegation request, the server ask to the client if it grant access to the requested namespace using &xep0004;. The server use a challenge which it MUST have generated itself.

pubsub.montaigu.lit wants to manage a feature normally managed by the server. Do you allow it to manage the following features? Be careful! According management to an entity is a serious thing, think twice that you can trust the entity before doing this. Delegation request pubsub.montaigu.lit wants to manage the following features: Do you allow it? 5439123 urn:xmpp:delegation:0 0 ]]>

The server SHOULD include a warning message, SHOULD translate the namespace to human friendly names (and MAY keep the original namespace in addition) and MUST set the default value to '0' (permission refused). The server SHOULD use namespace as field var, so a client can use it to have a customized display.

The client can then answer to the form:

5439123 1 ]]>

Here Juliet allows pubsub.montaigu.lit to manage the PubSub (and then PEP) service.

Finaly, the server notifies the entity of the granted delegation. For this it uses a &QUERY; element with the 'allowed' type, and puts the client JID in a 'from' attribute:

]]>

The managing entity can now manage the namespace the same way as in admin mode.

Server SHOULD provide a way for clients to check already delegated namespaces, and revoke them by using &xep0050; on the well-defined command node 'urn:xmpp:delegation:0#configure'.

If present, the configuration commands MUST allow at least to check delegations granted to a managing entity, and to revoke them. A server MAY offer an option to keep delegations from one session to an other (see business rules).

If a server or an entity supports the namespace delegation protocol, it MUST report that fact by including a service discovery feature of "urn:xmpp:delegation:0" in response to a &xep0030; information request:

]]> ... ... ]]>

When a server delegates a namespace to a managing entity, the later can have particular features which must be advertised by the former with disco protocol.

This is done by using a disco node, which is done the following way: if pubsub.capulet.int manages pubsub namespace, it MUST report that fact in discovery feature, and have a 'urn:xmpp:delegation:0::http://jabber.org/protocol/pubsub' node which reports the managed features.

The node name is obtained by concatenating this XEP namespace (urn:xmpp:delegation:0), a '::' separator, and the delegated namespace (here http://jabber.org/protocol/pubsub).
The server MUST advertise the result in its own discovery answer, and MUST ignore features of its internal component (here internal PubSub service).

In the following example, the capulet.int server delegates its internal PEP component to pubsub.capulet.int. capulet.int only supports REQUIRED PubSub features and auto-create, while pubsub.capulet.int supports REQUIRED PubSub features and publish-options, but not auto-create.
juliet@capulet.int asks its server what it is capable of, she is specially interested in PubSub capabilities.

]]>

Server delegates its PubSub namespace to pubsub.capulet.lit, so it asks its available features for this namespace like this:

]]>

Note that in real situation, server has probably this information already in cache (see Implementation Notes).
pubsub.capulet.lit returns its available features:

]]>

Server include the results in its own discovery info results:

... ... ]]>

Note that 'http://jabber.org/protocol/pubsub#auto-create' is not available.

As an entity may ask for discovery information on bare JID, which the server would answer, the managing entity must be able to send this kind of information.

To do so, the mechanism is the same as for server features, but the separator is ':bare:' instead of '::':

]]>

Server delegate its PubSub namespace to pubsub.capulet.lit, so it ask its available features for this namespace like this:

]]>

As for general case, server has probably this information already in cache.
pubsub.capulet.lit returns its available features:

... ]]>

Then the server returns the answer to Juliet, as in general case, with requested bare JID in 'from' field.

... ]]>

In client mode, server MAY keep delegations granted to an entity by a client from one session to an other, but if it does so, it MUST provide configuration like explained in the suitable section. If server offers this feature, it SHOULD add a field directly in configuration commands.
If a client can't check or revoke delegations (i.e. it doesn't support &xep0050;) when granting them, the server MUST NOT keep granted delegations from one session to an other, and delegations will be asked on each new session.
If delegations are changed during a session, server MUST notify managing entity of the new delegations, like in client delegation request use case.
The namespace of this XEP (urn:xmpp:delegation:0) MUST NOT be delegated. If an entity requests it, the server MUST return a &forbidden; error.

As admin mode is far more easy to implement than client mode, and client mode may impact performances, a server MAY choose to only implement the former.
Because of the performance impact, a server SHOULD ask for disco features to nest to managing entity when delegation is accepted, and keep them in cache.

Managing entity can manage sensitive data, admin delegation should be granted carefuly, only if you absolutely trust the entity.
A server MAY choose to filter allowed namespaces. In this case, it MUST always set the allowed type of filtered namespaces to 0.
In case of filtering, a whitelist system is more secure and SHOULD be prefered to a blacklist (idealy, configuration would allow no filtering, whitelist filtering and blacklist filtering).

This document requires no interaction with &IANA;.

The ®ISTRAR; includes 'urn:xmpp:delegation:0' in its registry of protocol namespaces (see &NAMESPACES;).

urn:xmpp:delegation:0

&NSVER;

]]>

This XEP is linked with XEP-XXXX privileged entity and works in a similar way.

The client mode delegation mechanism is inspired from &xep0321; permission request.

Thanks to Adrien Cossa for his typos/style corrections