<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE xep SYSTEM 'xep.dtd' [
  <!ENTITY % ents SYSTEM 'xep.ent'>
%ents;
]>
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
<xep>
<header>
  <title>Pre-Authenticated In-Band Registration</title>
  <abstract>This document extends the In-Band-Registration protocol to use
    invitation tokens, e.g. for registering accounts on non-public
    servers.
  </abstract>
  &LEGALNOTICE;
  <number>0445</number>
  <status>Proposed</status>
  <lastcall>2021-10-20</lastcall>
  <type>Standards Track</type>
  <sig>Standards</sig>
  <approver>Council</approver>
  <dependencies>
    <spec>XMPP Core</spec>
    <spec>XEP-0077</spec>
    <spec>XEP-0147</spec>
    <spec>XEP-0379</spec>
    <spec>XEP-0401</spec>
  </dependencies>
  <supersedes/>
  <supersededby/>
  <shortname>ibr-token</shortname>
  <author>
    <firstname>Georg</firstname>
    <surname>Lukas</surname>
  </author>
  <revision>
    <version>0.2.0</version>
    <date>2020-11-24</date>
    <initials>XEP Editor (jsc)</initials>
    <remark>Accepted by vote of Council on 2020-11-04.</remark>
  </revision>
  <revision>
    <version>0.1.0</version>
    <date>2020-10-28</date>
    <initials>gl</initials>
    <remark>First version based on XEP-0401.</remark>
  </revision>
</header>
<section1 topic='Introduction' anchor='intro'>
  <p>There are two typical mechanisms to register an account on an XMPP server:</p>
  <ul>
    <li>Out-of-band account creation, after which the account JID and password
      need to be manually entered into an XMPP client, and</li>
    <li>&xep0077; (IBR) where an account is created and fully configured right
      from the XMPP client.</li>
  </ul>
  <p>The IBR mechanism is much more convenient for users, but also opens up
    the server to abuse, e.g. due to the mass-registration of spam bot
    accounts. Captchas, while heavily impacting well-intentioned users, are
    not a reliable mechanism to prevent abuse.  This specification allows to
    restrict the IBR mechanism by requiring a registration token, e.g. for
    giving users access to a private server, without exposing their password
    to the server administrator.</p>
  <p>This specification is part of a series of documents aiming at improving
    user onboarding:</p>
  <ul>
    <li>&xep0379; to automatically accept roster subscriptions based on a
      token.</li>
    <li>&xep0401; to generate tokens that can be used for authenticating IBR.</li>
  </ul>
  <p>While this specification is designed to work together with &xep0401;, it
    can be used with invitation tokens obtained by any other mechanism. XMPP
    URIs can then be used out-of-band to deliver the invitation to a new user.</p>
  <p>A client that obtains such an XMPP URI should allow the user to register
    an XMPP account with the server that generated the URI.</p>
</section1>

<section1 topic='Use Cases'>
  <p>A client that implements this specification needs to understand the
    &xep0147; specification, to make use of the <tt>register</tt> query
    action and the <tt>preauth</tt> parameter. Three URI formats
    are defined.</p>
  <section2 topic="Registration with pre-defined account name">
    <p>An invitation to register an account can contain a specific XMPP
      address (with a pre-defined user account name) to be registered. A
      client should populate the address field in the IBR dialog with this
      address and disallow changing the address.</p>
    <code caption="Registration URI with pre-defined account name">xmpp:juliet@example.com?register;preauth=TOKEN</code>
  </section2>

  <section2 topic="Registration on a server">
    <p>An invitation to register an account can contain just the server domain
      to register on. A client should populate the address field in the IBR
      dialog with this domain and allow entering the desired account name.</p>
    <code caption="Registration URI without account name">xmpp:example.com?register;preauth=TOKEN</code>
  </section2>

  <section2 topic="Contact Invitation with IBR">
    <p>A contact invitation with a registration token (&xep0379;) might
      indicate that the token can also be used to register an account on that
      server (<tt>ibr=y</tt>). If the receiving client already has an account
      configured, it may skip account registration and simply add the contact
      as defined in <cite>XEP-0379</cite>. The client may also register a new
      account on the domain of the proposed contact, allowing the user to
      enter the desired account name.</p>
    <code caption="Contact URI with Pre-Authenticated IBR support">xmpp:romeo@example.com?roster;preauth=TOKEN;ibr=y</code>
  </section2>
</section1>

<section1 topic='Discovery' anchor='discover'>
  <p>While a registration URI is an indication that the respective server
    supports Pre-Authenticated IBR, a URI might be manipulated and is not
    guaranteed to be reliable.</p>
  <p>Therefore, when performing the account creation, the client needs to
    ensure that the server supports the Pre-Authenticated IBR protocol, as denoted by
    the <strong>&lt;register xmlns='urn:xmpp:ibr-token:0'></strong>
    stream feature:</p>
  <example caption="Stream features of a server that accepts invitations"><![CDATA[
<stream:features>
  <mechanisms xmlns='urn:xmpp:sasl:0'>
    <mechanism>EXTERNAL</mechanism>
    <mechanism>SCRAM-SHA-1-PLUS</mechanism>
    <mechanism>SCRAM-SHA-1</mechanism>
    <mechanism>PLAIN</mechanism>
  </mechanisms>
  <register xmlns='urn:xmpp:ibr-token:0'/>
  <register xmlns='http://jabber.org/features/iq-register'/>
</stream:features>
]]></example>
</section1>
<section1 topic='Pre-Authenticated In-Band Registration' anchor='preauth-ibr'>
  <p>In order to allow invited users to register on a server, the
    registration processs as defined in &xep0077; needs to be extended. The
    invited user's client needs to connect to the server and check that the
    invitation stream feature
    (<strong>&lt;register xmlns='urn:xmpp:ibr-token:0'></strong>) is present.
    After that, the client initiates the registration flow by sending the
    preauth token to the server:</p>
  <example caption="Client initiates pre-authenticated IBR"><![CDATA[
<iq type='set' to='example.com' id='pa1'>
<preauth xmlns='urn:xmpp:pars:0' token='TOKEN' />
</iq>
]]></example>
  <p>Upon receiving the preauth request, the server must validate that the
    token is acceptable for account registration. However, single-use tokens
    MUST NOT be considered used until the actual registration has succeeded.
  </p>
  <p>In addition, if the token has an expiration time, it MUST only be
    checked at this point. Subsequent actions performed by the client during
    the current session that require a valid token MUST NOT be rejected due
    to token expiry.
  </p>
  <p>If the token is acceptable, the server responds with success, and
    indicates the client may now proceed with account registration:
  </p>
  <example caption="Server accepts invitation token"><![CDATA[
<iq type='result' from='example.com' id='pa1' />
]]></example>
  <p>If the token provided by the client was unknown, invalid or expired, the
    server should return an appropriate error to the client:</p>
  <example caption="Server rejects invitation token"><![CDATA[
<iq type="error" from="example.com" id="pa1">
<error type='cancel'>
  <item-not-found xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
  <text>The provided token is invalid or expired</text>
</error>
</iq>
]]></example>
  <p>In the success case, the client proceeds with registration as defined in
    &xep0077;. If the token is rejected by the server, the client still MAY
    attempt to perform IBR if the server allows that.</p>
</section1>
<section1 topic='Business Rules' anchor='rules'>
  <p>If a username was specified when creating an invitation token, the
    server SHOULD NOT create an account on the server until the invitee
    actually registers it with the corresponding token.
    The server MUST reserve the username at least until the corresponding
    token expires.</p>
</section1>
<section1 topic='Implementation Notes' anchor='impl'>
  <section2 topic='XMPP Server Suggestion for Invitees'>
    <p>If the invitee opens an invitation URI with <strong>ibr=y</strong> and
      chooses to create a new account, the client SHOULD pre-fill the
      inviter JID's domain part as the new account's domain. The client MAY
      provide a mechanism to enter or choose a different server, though.</p>
  </section2>
</section1>
<section1 topic='Security Considerations' anchor='security'>
  <p>See security considerations in &xep0379;.</p>
</section1>
<section1 topic='IANA Considerations' anchor='iana'>
  <p>This document requires no interaction with &IANA;.</p>
</section1>
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
    <p>This document only makes use of the XMPP URI elements defined in
      &xep0401;</p>
</section1>
<section1 topic='XML Schema' anchor='schema'>
  <p>REQUIRED for protocol specifications.</p>
</section1>
</xep>