wojciech.kapcia@tigase.net opened 4 years ago
|
|||||||
Below I've added a text which could be used as an article, but.. I do not know any client which is capable of that and I'm not sure if that can be done in any other way than via ad-hoc. It is possible to run it from AdminUI but I'm not sure if user (non-admin) can log in the Admin UI. I think the user should be able to log in but I'm not sure if anyone would use this way. I've not prepared any screens as I'm not aware of any client which could use this kind of authentication, so this article is mostly an idea of how this would work. I've added documentation for this feature to Tigase XMPP Server documentation. Application passwordsIn recent versions of Tigase XMPP Server it is possible to create and use multiple username and password pairs to authorize connection to the single XMPP account. With that in place it is now possible to have multiple password for a multiple clients accessing the same account what can be used to increase security of the account as even if one password compromised you can still log in and block lost or compromised device. Adding application passwordTo add new username-password pair you need to execute During execution for a command you will be provided with a form to fill in with following fields:
After submitting this form a new credential will be added. Login in with application passwordTo log in with new password the XMPP client can use any SASL mechanism but it needs to provide (in SASL message):
With proper values, you application will be able to log in using application password. Removing application passwordIf your device is compromised or lost and you want to remove application password, you need to use a different device and log in on your XMPP account.
Then you need to execute During execution for a command you will be provided with a form to fill in with following fields:
After submitting this form a credential will be removed. |
|||||||
Well, beauty of ad-hocs is that they are universal enough. If there would be enough interest this could probably be specified as XEP… As for management - using ad-hocs is enough. Non-admin can access the AdminUI (though, this ad-hoc would have to be added to the list with ACL from what I saw) however I think it would be mostly used in programmatic way via ad-hoc.
That's more than fine. As for the article - could you add stanzas example (adding/removing credential and example SASL-PLAIN with SASL message before encoding it to base64)? |
|||||||
I've updated the comment above with the content of the article |
|||||||
|
|||||||
I'm pretty sure that I've made those changes and tapped "Save" and seen those changes saved and rendered (I've added spent time after modyfing commit). |
|||||||
wojciech.kapcia@tigase.net batch edited 7 months ago
|
|||||||
wojciech.kapcia@tigase.net added to iteration "tigase-server-8.5.0" 7 months ago
|
|||||||
wojciech.kapcia@tigase.net removed from iteration "tigase-server-8.4.0" 7 months ago
|
Type |
Task
|
Priority |
Normal
|
Assignee | |
Version |
tigase-server-8.3.0, tigase-server-8.4.0
|
Spent time |
2h 30m
|
-
tigase-server-8.5.0 Open
For a while now we have possibility to use multiple credentials for users (i.e. "app passwords"). We should highlight it - please write an article about it, it's benefits, how to use it (management and for logging-in purposes).
I think we could also include information that they can use various SASL mechanisms as well.
Application passwords
In recent versions of Tigase XMPP Server it is possible to create and use multiple username and password pairs to authorize connection to the single XMPP account.
With that in place it is now possible to have multiple password for a multiple clients accessing the same account what can be used to increase security of the account as even if one password compromised you can still log in and block lost or compromised device.
Adding application password
To add new username-password pair you need to execute
Add user credentials
ad-hoc command (command nodeauth-credentials-add
atsess-man
) while logged in the XMPP account for which you want to add a new application password.During execution for a command you will be provided with a form to fill in with following fields:
jid
) - bare JID of your accountcredentialId
) - username for the new application passwordpassword
) - a new passwordAfter submitting this form a new credential will be added.
Login in with application password
To log in with new password the XMPP client can use any SASL mechanism but it needs to provide (in SASL message):
authzid
- account JIDauthcid
- username for application passwordpasswd
- application passwordWith proper values, you application will be able to log in using application password.
In case of SASL PLAIN which has the following format (spaces should be ommited and
[]
means it is optional):[authzid] UTF8NUL authcid UTF8NUL passwd
not encoded payload would look like this:user@example.com UTF8NUL my-new-app-1 UTF8NUL 39jfnwu053743
That after Base64 encoding would be presented as
dXNlckBleGFtcGxlLmNvbQBteS1uZXctYXBwLTEDOWpmbnd1MDUzNzQz
and this value can be used as a correct CData of<auth/>
element:Removing application password
If your device is compromised or lost and you want to remove application password, you need to use a different device and log in on your XMPP account. Then you need to execute
Delete user credentials
ad-hoc command (command nodeauth-credentials-delete
atsess-man
).During execution for a command you will be provided with a form to fill in with following fields:
jid
) - bare JID of your accountcredentialId
) - username for the application password which you want to removeAfter submitting this form a credential will be removed.