Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Kaidan Kaidan
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 55
    • Issues 55
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 12
    • Merge requests 12
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • NetworkNetwork
  • KaidanKaidan
  • Issues
  • #362
Closed
Open
Issue created Feb 19, 2020 by Linus Jahn@lnj🔌Developer

Token-based authentication

The issues with password-based auth

Using a password is not that nice:

  • You can't identify your devices -> you can't list logged in devices
  • You can't kick/log out other devices
  • The user needs to remember the password somehow or the password needs to be visible in the App.
    • Remembering the password isn't always a good option: Many people forget the password and get locked out of their account.
    • Making the password visible isn't a good idea either, others getting your phone in their hands can easily look at your password -- This is not very privacy-aware.
      • -> You could use randomly generated passwords to avoid privacy-loss. However, you can never be sure that the password of an account is randomly generated.
  • When the password is changed, all other devices need to log in again.

Requirements for such a token-based auth

  • Devices using password-based authentication and devices using token-based auth need to work in parallel with one account.
  • All currently active tokens need to be visible to clients
  • Maybe privileges for tokens
  • A client only having access using token-based auth should be able to give access to another device.
    • Generating a new temporary token for the device
    • Changing the accounts password and transmitting that
  • Time limitations
    • devices that are offline for more than e.g. 90 days should be kicked
    • devices renew or replace their token by logging in or a special command

Solutions?

To solve this, we probably need changes to the standards / a new XEP. Possible solutions:

  • OAUTH2?
    • There's already something for OAUTH in XMPP
    • Is listing devices/tokens possible? => Do we need a XEP for that?
  • There was a proto XEP about tokens?
    • Could that be an option?
Assignee
Assign to
Time tracking