%ents; ]>
Authorization Tokens This document defines an XMPP protocol extension for issuing authentication tokens to client applications and provides methods for managing сlient connections. &LEGALNOTICE; xxxx ProtoXEP Standards Track Standards Council XMPP Core XEP-0001 xabber-tokens Andrey Gagarin andrey.gagarin@redsolution.com andrey.gagarin@redsolution.com Andrew Nenakhov andrew.nenakhov@redsolution.com andrew.nenakhov@redsolution.com 0.0.1 2019-09-11 ag/an

First draft.

When an XMPP client is negotiating a stream with an XMPP server, it typically needs to perform authentication and authorization. Typically stream negotiation requires providing a password on each connection attempt. Naturally this means that an XMPP client needs to store password: reconnections are very frequent on some types of clients, asking a user to provide a password on each reconnect would result in a very bad user experience.

This results in increased security threats associated with storing account password on physical device: password can be extracted from this device by whoever gains access to it. Also, a user can't revoke access to clients without changing password. More, password change won't help to immediately revoke access from a device with established connection.

This document describes a method address mentioned issues and provide more security for users. The idea is to use XMPP-based tokens, which allow to control client sessions.

  1. It is RECOMMENDED for the client to transfer information about connected device: type of client, version of the operating system.
  2. Server MUST show latest IP address used with the token

The following example illustrates the XML structure to be sent when issuing new token for client.

xabber-web MacOS 10.14 ]]> VkpTYqfpPcLpwciTRtgHaV7HLBC9O9kY 1536322632 49975a48609793c5c93f5e9eab264f6706f04164 ]]>
xabber-web iMac Pro MacOS 10.14 3600 ]]> VkpTYqfpPcLpwciTRtgHaV7HLBC9O9kY 1536321232 49975a48609793c5c93f5e9eab264f6706f04164 ]]>

During authentication process the client can receive a token before bind.

]]>

The server accepts the connection and sends a list of supported stream features. Feature x-token is also on the list:

... ]]> xabber-web MacOS 10.14 ]]> VkpTYqfpPcLpwciTRtgHaV7HLBC9O9kY 1536322632 49975a48609793c5c93f5e9eab264f6706f04164 ]]>
]]> ... X-TOKEN ... ]]> base64("\0" + user_name + "\0" + auth_token) ]]>

The content in the auth element should be base64 encoding of a string containing a null byte, followed by username, another null byte and the string representation of the user authentication token. This is similar to authentication with a password using the PLAIN mechanism, except the token is added instead of password.

]]>
]]> xabber-web 2.3 iMac Pro MacOS 10.14 024717297867c1d32714cadde305825a9909ef7c 1536322632 192.168.1.2 1536322632 xabber-android 2.363 Nokia Android 8.0 7dbf8541c4de1d24a0f748cc01f98a140100979a 1536322632 192.168.1.3 1536322632 xabber-ios 1.8 iphone 5s IOS 12.3.1 49975a48609793c5c93f5e9eab264f6706f04164 1536322632 192.168.1.3 1536322632 xabber-desktop 1.2 PC Arch Linux x86_64 86c763fcdca9b3372685ca4b258b1a207b9138f5 1536322632 192.168.1.5 1536322632 ]]> 86c763fcdca9b3372685ca4b258b1a207b9138f5 ]]> 49975a48609793c5c93f5e9eab264f6706f04164 7dbf8541c4de1d24a0f748cc01f98a140100979a ]]> ]]> 49975a48609793c5c93f5e9eab264f6706f04164 7dbf8541c4de1d24a0f748cc01f98a140100979a ]]> ]]>

The server issues a new token and sends a message with a notification about the entrance from the new device.

dnbo3gasxia1agsj5nxzrlxr57ilibh9 New login. Dear juliet@capulet.it, we detected a new login into your account from a new device on 01/09/2019 at 05:39:10 UTC Xabber Web 2.6.5.642 PC Linux x86_64 192.168.1.2 If this wasn't you, go to Settings > XMPP Account > Active sessions and terminate suspicious sessions. ]]>

During authentication process the client can revoke all tokens before bind. This might be necessary if someone has gained access to a client device and revokes all tokens immediately after connection, not giving a chance to account owner to revoke access.

After passing all the authentication steps, the client makes a request to delete all tokens

]]> ]]>
VkpTYqfpPcLpwciTRtgHaV7HLBC9O9kY ]]> xabber-web 2.3 iMac Pro MacOS 10.14 024717297867c1d32714cadde305825a9909ef7c 1536322632 192.168.1.2 1536322632 ]]>
]]> ... ... ]]>

The server is recording IP addresses used by user. While this enforces privacy during regular usage, making user aware of a malicious attempts to access his data, it also creates a privacy risk for a user if this data is leaked: it might help to determine user identity and location. Server operators should be warned about this risk and take measures against it.

This document requires no interaction with &IANA;.

The ®ISTRAR; includes 'https://xabber.com/protocol/auth-tokens' and 'https://xabber.com/protocol/auth-tokens#items' in its registry of protocol namespaces (see &NAMESPACES;).

  • https://xabber.com/protocol/auth-tokens
  • https://xabber.com/protocol/auth-tokens#items
The protocol documented by this schema is defined in XEP-xxxx: http://www.xmpp.org/extensions/xep-xxxx.html ]]> The protocol documented by this schema is defined in XEP-xxxx: http://www.xmpp.org/extensions/xep-xxxx.html ]]>