Pre-Authenticated In-Band Registration

%ents; ]>

Pre-Authenticated In-Band Registration This document extends the In-Band-Registration protocol to use invitation tokens, e.g. for registering accounts on non-public servers. &LEGALNOTICE; 0445 Experimental Standards Track Standards Council XMPP Core XEP-0077 XEP-0147 XEP-0379 XEP-0401 ibr-token Georg Lukas 0.2.0 2020-11-24 XEP Editor (jsc) Accepted by vote of Council on 2020-11-04. 0.1.0 2020-10-28 gl First version based on XEP-0401.

There are two typical mechanisms to register an account on an XMPP server:

Out-of-band account creation, after which the account JID and password need to be manually entered into an XMPP client, and
&xep0077; (IBR) where an account is created and fully configured right from the XMPP client.

The IBR mechanism is much more convenient for users, but also opens up the server to abuse, e.g. due to the mass-registration of spam bot accounts. Captchas, while heavily impacting well-intentioned users, are not a reliable mechanism to prevent abuse. This specification allows to restrict the IBR mechanism by requiring a registration token, e.g. for giving users access to a private server, without exposing their password to the server administrator.

This specification is part of a series of documents aiming at improving user onboarding:

&xep0379; to automatically accept roster subscriptions based on a token.
&xep0401; to generate tokens that can be used for authenticating IBR.

While this specification is designed to work together with &xep0401;, it can be used with invitation tokens obtained by any other mechanism. XMPP URIs can then be used out-of-band to deliver the invitation to a new user.

A client that obtains such an XMPP URI should allow the user to register an XMPP account with the server that generated the URI.

A client that implements this specification needs to understand the &xep0147; specification, to make use of the register query action and the preauth parameter. Three URI formats are defined.

An invitation to register an account can contain a specific XMPP address (with a pre-defined user account name) to be registered. A client should populate the address field in the IBR dialog with this address and disallow changing the address.

xmpp:juliet@example.com?register;preauth=TOKEN

An invitation to register an account can contain just the server domain to register on. A client should populate the address field in the IBR dialog with this domain and allow entering the desired account name.

xmpp:example.com?register;preauth=TOKEN

A contact invitation with a registration token (&xep0379;) might indicate that the token can also be used to register an account on that server (ibr=y). If the receiving client already has an account configured, it may skip account registration and simply add the contact as defined in XEP-0379. The client may also register a new account on the domain of the proposed contact, allowing the user to enter the desired account name.

xmpp:romeo@example.com?roster;preauth=TOKEN;ibr=y

While a registration URI is an indication that the respective server supports Pre-Authenticated IBR, a URI might be manipulated and is not guaranteed to be reliable.

Therefore, when performing the account creation, the client needs to ensure that the server supports the Pre-Authenticated IBR protocol, as denoted by the <register xmlns='urn:xmpp:ibr-token:0'> stream feature:

EXTERNAL SCRAM-SHA-1-PLUS SCRAM-SHA-1 PLAIN ]]>

In order to allow invited users to register on a server, the registration processs as defined in &xep0077; needs to be extended. The invited user's client needs to connect to the server and check that the invitation stream feature (<register xmlns='urn:xmpp:ibr-token:0'>) is present. After that, the client initiates the registration flow by sending the preauth token to the server:

]]>

Upon receiving the preauth request, the server must validate that the token is acceptable for account registration. However, single-use tokens MUST NOT be considered used until the actual registration has succeeded.

In addition, if the token has an expiration time, it MUST only be checked at this point. Subsequent actions performed by the client during the current session that require a valid token MUST NOT be rejected due to token expiry.

If the token is acceptable, the server responds with success, and indicates the client may now proceed with account registration:

]]>

If the token provided by the client was unknown, invalid or expired, the server should return an appropriate error to the client:

The provided token is invalid or expired

]]>

In the success case, the client proceeds with registration as defined in &xep0077;. If the token is rejected by the server, the client still MAY attempt to perform IBR if the server allows that.

If a username was specified when creating an invitation token, the server SHOULD NOT create an account on the server until the invitee actually registers it with the corresponding token. The server MUST reserve the username at least until the corresponding token expires.

If the invitee opens an invitation URI with ibr=y and chooses to create a new account, the client SHOULD pre-fill the inviter JID's domain part as the new account's domain. The client MAY provide a mechanism to enter or choose a different server, though.

See security considerations in &xep0379;.

This document requires no interaction with &IANA;.

This document only makes use of the XMPP URI elements defined in &xep0401;

REQUIRED for protocol specifications.