Projects tigase _server server-core Issues #1171
Write an article about using multiple Credentials (#1171)
wojciech.kapcia@tigase.net opened 4 years ago

For a while now we have possibility to use multiple credentials for users (i.e. "app passwords"). We should highlight it - please write an article about it, it's benefits, how to use it (management and for logging-in purposes).

I think we could also include information that they can use various SASL mechanisms as well.


Application passwords

In recent versions of Tigase XMPP Server it is possible to create and use multiple username and password pairs to authorize connection to the single XMPP account.

With that in place it is now possible to have multiple password for a multiple clients accessing the same account what can be used to increase security of the account as even if one password compromised you can still log in and block lost or compromised device.

Adding application password

To add new username-password pair you need to execute Add user credentials ad-hoc command (command node auth-credentials-add at sess-man) while logged in the XMPP account for which you want to add a new application password.

During execution for a command you will be provided with a form to fill in with following fields:

  • The Jabber ID for the account (jid) - bare JID of your account
  • Credential ID (credentialId) - username for the new application password
  • Password (password) - a new password
<iq type='set' to='sess-man@example.com' id='sasl-app-add-1'>
	<command xmlns='http://jabber.org/protocol/commands' node='auth-credentials-add' action='execute'/>
</iq>

<iq type='result' from='sess-man@example.com' id='sasl-app-add-1' to='user@example.com/resource-1'>
	<command xmlns='http://jabber.org/protocol/commands' node='auth-credentials-add' session-id='uuid-xxxxxx' status='executing'>
		<x xmlns='jabber:x:data' type='form'>
			<title>Add user credentials"</title>
			<field var='jid' label='The Jabber ID for the account' type='jid-single'/>
			<field var='credentialId' label='Credential ID' type='jid-single'/>
			<field var='password' label='Password' type='text-single'/>
		</x>
	</command>
</iq>

After submitting this form a new credential will be added.

<iq type='set' to='sess-man@example.com' id='sasl-app-add-2'>
	<command xmlns='http://jabber.org/protocol/commands' node='auth-credentials-add' action='execute'>
		<x xmlns='jabber:x:data' type='submit'>
			<title>Add user credentials"</title>
			<field var='jid' label='The Jabber ID for the account' type='jid-single'>
				<value>user@example.com</value>
			</field>
			<field var='credentialId' label='Credential ID' type='jid-single'>
				<value>my-new-app-1</value>
			</field>
			<field var='password' label='Password' type='text-single'>
				<value>39jfnwu053743</value>
			</field>
		</x>
	</command>
</iq>

<iq type='result' from='sess-man@example.com' id='sasl-app-add-2' to='user@example.com/resource-1'>
	<command xmlns='http://jabber.org/protocol/commands' node='auth-credentials-add' session-id='uuid-xxxxxx' status='completed'>
		<x xmlns='jabber:x:data' type='result'>
			<field type='fixed'>
				<value>OK</value>
			</field>
		</x>
	</command>
</iq>

Login in with application password

To log in with new password the XMPP client can use any SASL mechanism but it needs to provide (in SASL message):

  • authzid - account JID
  • authcid - username for application password
  • passwd - application password

With proper values, you application will be able to log in using application password.

In case of SASL PLAIN which has the following format (spaces should be ommited and [] means it is optional): [authzid] UTF8NUL authcid UTF8NUL passwd not encoded payload would look like this: user@example.com UTF8NUL my-new-app-1 UTF8NUL 39jfnwu053743

That after Base64 encoding would be presented as dXNlckBleGFtcGxlLmNvbQBteS1uZXctYXBwLTEDOWpmbnd1MDUzNzQz and this value can be used as a correct CData of <auth/> element:

<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='PLAIN'>dXNlckBleGFtcGxlLmNvbQBteS1uZXctYXBwLTEDOWpmbnd1MDUzNzQz</auth>

Removing application password

If your device is compromised or lost and you want to remove application password, you need to use a different device and log in on your XMPP account. Then you need to execute Delete user credentials ad-hoc command (command node auth-credentials-delete at sess-man).

During execution for a command you will be provided with a form to fill in with following fields:

  • The Jabber ID for the account (jid) - bare JID of your account
  • Credential ID (credentialId) - username for the application password which you want to remove
<iq type='set' to='sess-man@example.com' id='sasl-app-delete-1'>
	<command xmlns='http://jabber.org/protocol/commands' node='auth-credentials-delete' action='execute'/>
</iq>

<iq type='result' from='sess-man@example.com' id='sasl-app-delete-1' to='user@example.com/resource-1'>
	<command xmlns='http://jabber.org/protocol/commands' node='auth-credentials-delete' session-id='uuid-xxxxxx' status='executing'>
		<x xmlns='jabber:x:data' type='form'>
			<title>Add user credentials"</title>
			<field var='jid' label='The Jabber ID for the account' type='jid-single'/>
			<field var='credentialId' label='Credential ID' type='jid-single'/>
		</x>
	</command>
</iq>

After submitting this form a credential will be removed.

<iq type='set' to='sess-man@example.com' id='sasl-app-delete-2'>
	<command xmlns='http://jabber.org/protocol/commands' node='auth-credentials-delete' action='execute'>
		<x xmlns='jabber:x:data' type='submit'>
			<title>Add user credentials"</title>
			<field var='jid' label='The Jabber ID for the account' type='jid-single'>
				<value>user@example.com</value>
			</field>
			<field var='credentialId' label='Credential ID' type='jid-single'>
				<value>my-new-app-1</value>
			</field>
		</x>
	</command>
</iq>

<iq type='result' from='sess-man@example.com' id='sasl-app-delete-2' to='user@example.com/resource-1'>
	<command xmlns='http://jabber.org/protocol/commands' node='auth-credentials-delete' session-id='uuid-xxxxxx' status='completed'>
		<x xmlns='jabber:x:data' type='result'>
			<field type='fixed'>
				<value>OK</value>
			</field>
		</x>
	</command>
</iq>
Andrzej Wójcik (Tigase) commented 4 years ago

Below I've added a text which could be used as an article, but.. I do not know any client which is capable of that and I'm not sure if that can be done in any other way than via ad-hoc. It is possible to run it from AdminUI but I'm not sure if user (non-admin) can log in the Admin UI. I think the user should be able to log in but I'm not sure if anyone would use this way.

I've not prepared any screens as I'm not aware of any client which could use this kind of authentication, so this article is mostly an idea of how this would work.

I've added documentation for this feature to Tigase XMPP Server documentation.


Application passwords

In recent versions of Tigase XMPP Server it is possible to create and use multiple username and password pairs to authorize connection to the single XMPP account.

With that in place it is now possible to have multiple password for a multiple clients accessing the same account what can be used to increase security of the account as even if one password compromised you can still log in and block lost or compromised device.

Adding application password

To add new username-password pair you need to execute Add user credentials ad-hoc command (command node auth-credentials-add at sess-man) while logged in the XMPP account for which you want to add a new application password.

During execution for a command you will be provided with a form to fill in with following fields:

  • The Jabber ID for the account (jid) - bare JID of your account
  • Credential ID (credentialId) - username for the new application password
  • Password (password) - a new password

After submitting this form a new credential will be added.

Login in with application password

To log in with new password the XMPP client can use any SASL mechanism but it needs to provide (in SASL message):

  • authzid - account JID
  • authcid - username for application password
  • passwd - application password

With proper values, you application will be able to log in using application password.

Removing application password

If your device is compromised or lost and you want to remove application password, you need to use a different device and log in on your XMPP account. Then you need to execute Delete user credentials ad-hoc command (command node auth-credentials-delete at sess-man).

During execution for a command you will be provided with a form to fill in with following fields:

  • The Jabber ID for the account (jid) - bare JID of your account
  • Credential ID (credentialId) - username for the application password which you want to remove

After submitting this form a credential will be removed.

wojciech.kapcia@tigase.net commented 4 years ago

Below I've added a text which could be used as an article, but.. I do not know any client which is capable of that and I'm not sure if that can be done in any other way than via ad-hoc. It is possible to run it from AdminUI but I'm not sure if user (non-admin) can log in the Admin UI. I think the user should be able to log in but I'm not sure if anyone would use this way.

Well, beauty of ad-hocs is that they are universal enough. If there would be enough interest this could probably be specified as XEP… As for management - using ad-hocs is enough. Non-admin can access the AdminUI (though, this ad-hoc would have to be added to the list with ACL from what I saw) however I think it would be mostly used in programmatic way via ad-hoc.

I've not prepared any screens as I'm not aware of any client which could use this kind of authentication, so this article is mostly an idea of how this would work.

That's more than fine.

As for the article - could you add stanzas example (adding/removing credential and example SASL-PLAIN with SASL message before encoding it to base64)?

Andrzej Wójcik (Tigase) commented 4 years ago

I've updated the comment above with the content of the article

wojciech.kapcia@tigase.net commented 4 years ago

I've updated the comment above with the content of the article @andrzej.wojcik Have you send the changes? I don't see anything different. I moved the draft article to the issue main body as it's possible to track/see changes there - please update there.

Andrzej Wójcik (Tigase) commented 4 years ago

I'm pretty sure that I've made those changes and tapped "Save" and seen those changes saved and rendered (I've added spent time after modyfing commit).

wojciech.kapcia@tigase.net batch edited 7 months ago
Name Previous Value Current Value
Iterations
empty
tigase-server-8.4.0
wojciech.kapcia@tigase.net added to iteration "tigase-server-8.5.0" 7 months ago
wojciech.kapcia@tigase.net removed from iteration "tigase-server-8.4.0" 7 months ago
issue 1 of 1
Type
Task
Priority
Normal
Assignee
Version
tigase-server-8.3.0, tigase-server-8.4.0
Spent time
2h 30m
Iterations
Issue Votes (0)
Watchers (2)
Reference
tigase/_server/server-core#1171
Please wait...
Page is in error, reload to recover