The issues with password-based auth
Using a password is not that nice:
- You can't identify your devices -> you can't list logged in devices
- You can't kick/log out other devices
- The user needs to remember the password somehow or the password needs to be visible in the App.
- Remembering the password isn't always a good option: Many people forget the password and get locked out of their account.
- Making the password visible isn't a good idea either, others getting your phone in their hands can easily look at your password -- This is not very privacy-aware.
- -> You could use randomly generated passwords to avoid privacy-loss. However, you can never be sure that the password of an account is randomly generated.
- When the password is changed, all other devices need to log in again.
Requirements for such a token-based auth
- Devices using password-based authentication and devices using token-based auth need to work in parallel with one account.
- All currently active tokens need to be visible to clients
- Maybe privileges for tokens
- A client only having access using token-based auth should be able to give access to another device.
- Generating a new temporary token for the device
- Changing the accounts password and transmitting that
- Time limitations
- devices that are offline for more than e.g. 90 days should be kicked
- devices renew or replace their token by logging in or a special command
To solve this, we probably need changes to the standards / a new XEP. Possible solutions:
- There's already something for OAUTH in XMPP
- Is listing devices/tokens possible? => Do we need a XEP for that?
- There was a proto XEP about tokens?
- Could that be an option?