Token-based authentication (#362) · Issues · Network / Kaidan

Token-based authentication

The issues with password-based auth

Using a password is not that nice:

You can't identify your devices -> you can't list logged in devices
You can't kick/log out other devices
The user needs to remember the password somehow or the password needs to be visible in the App.
- Remembering the password isn't always a good option: Many people forget the password and get locked out of their account.
- Making the password visible isn't a good idea either, others getting your phone in their hands can easily look at your password -- This is not very privacy-aware.
  - -> You could use randomly generated passwords to avoid privacy-loss. However, you can never be sure that the password of an account is randomly generated.
When the password is changed, all other devices need to log in again.

Requirements for such a token-based auth

Devices using password-based authentication and devices using token-based auth need to work in parallel with one account.
All currently active tokens need to be visible to clients
Maybe privileges for tokens
A client only having access using token-based auth should be able to give access to another device.
- Generating a new temporary token for the device
- Changing the accounts password and transmitting that
Time limitations
- devices that are offline for more than e.g. 90 days should be kicked
- devices renew or replace their token by logging in or a special command

Solutions?

To solve this, we probably need changes to the standards / a new XEP. Possible solutions:

OAUTH2?
- There's already something for OAUTH in XMPP
- Is listing devices/tokens possible? => Do we need a XEP for that?
There was a proto XEP about tokens?
- Could that be an option?

### The issues with password-based auth

Using a password is not that nice:
 * You can't identify your devices -> you can't list logged in devices
 * You can't kick/log out other devices
 * The user needs to remember the password somehow or the password needs to be visible in the App.
    * Remembering the password isn't always a good option: Many people forget the password and get locked out of their account.
    * Making the password visible isn't a good idea either, others getting your phone in their hands can easily look at your password -- This is not very privacy-aware.
      * -> You could use randomly generated passwords to avoid privacy-loss. However, you can never be sure that the password of an account is randomly generated.
 * When the password is changed, all other devices need to log in again.

### Requirements for such a token-based auth

* Devices using password-based authentication and devices using token-based auth need to work in parallel with one account.
 * All currently active tokens need to be visible to clients
 * Maybe privileges for tokens
 * A client only having access using token-based auth should be able to give access to another device.
   * Generating a new temporary token for the device
   * Changing the accounts password and transmitting that
 * Time limitations
   * devices that are offline for more than e.g. 90 days should be kicked
   * devices renew or replace their token by logging in or a special command

### Solutions?

To solve this, we probably need changes to the standards / a new XEP. Possible solutions:
 * OAUTH2?
   * There's already something for OAUTH in XMPP
   * Is listing devices/tokens possible? => Do we need a XEP for that?
 * There was a proto XEP about tokens?
   * Could that be an option?