Token-based authentication (#362) · Issues · Network / Kaidan

Token-based authentication

Using a password is not that nice:

You can't identify your devices -> you can't list logged in devices
You can't kick/log out other devices
The user needs to remember the password somehow or the password needs to be visible in the App.
- Remembering the password isn't always a good option: Many people forget the password and get locked out of their account.
- Making the password visible isn't a good idea either, others getting your phone in their hands can easily look at your password -- This is not very privacy-aware.
  - -> You could use randomly generated passwords to avoid privacy-loss. However, you can never be sure that the password of an account is randomly generated.
When the password is changed, all other devices need to log in again.

Devices using password-based authentication and devices using token-based auth need to work in parallel with one account.
All currently active tokens need to be visible to clients
Maybe privileges for tokens
A client only having access using token-based auth should be able to give access to another device.
- Generating a new temporary token for the device
- Changing the accounts password and transmitting that
Time limitations
- devices that are offline for more than e.g. 90 days should be kicked
- devices renew or replace their token by logging in or a special command

To solve this, we probably need changes to the standards / a new XEP. Possible solutions:

OAUTH2?
- There's already something for OAUTH in XMPP
- Is listing devices/tokens possible? => Do we need a XEP for that?
There was a proto XEP about tokens?
- Could that be an option?