support for sso / openid connect ?

[parisni]

Hi, would such feature in the project roadmap ?

[Zash]

Can you describe in more detail what it is you would want to do?

[Neustradamus]

@parisni: There is this interesting XEP too:

XEP-0070: Verifying HTTP Requests via XMPP:

• https://xmpp.org/extensions/xep-0070.html

[PhasecoreX]

I'm not sure what parisni was specifically thinking of, but I'd also like this. I run Authentik on my home server for managing the users for all of my services, controlling who can see which ones and keeping everything in sync. I'd like to have a way that the Snikket login uses SSO (or another Authentik supported auth provider) to do the login for my existing users.

I assume that once a user logs in, something like FAST could be used afterwards? I am very new to XMPP, so I don't know what is and isn't implemented yet. But something where they don't have to keep authenticating over and over. Like an "app password" per client login.

I saw that Prosody had authentication modules, wasn't sure if Snikket had any as well? I could even go for LDAP if that would be easier.

[mwild1]

The new release of Snikket has FAST support already (I'm both a Prosody developer and Snikket developer, the modules were developed as part of a project funded by NGI/NLnet). I gave a talk about passwordless auth using FAST at FOSDEM last year.

In short, yes, we're moving towards being able to do things like this. For now though, although we have FAST support, the only way to obtain a FAST token in Snikket is through a password exchange first. We're experimenting with OAuth/OIDC upstream in Prosody, e.g. mod_auth_oauth_external, mod_http_oauth2, and built-in support for the OAUTHBEARER SASL mechanism. As this is all very new and not even supported by clients yet, we decided to keep it disabled in Snikket for now.

A lot of what I've talked about above focuses on work we've been doing in Prosody. However Snikket is aiming for specific use cases, and not to simply expose everything Prosody can do (which is a lot, and can be overwhelming). Snikket already has its own user management - in fact a big part of Snikket is the onboarding flow we put together and tested (again and again) with real users until it was smooth. If we decide to support external auth providers, we need to be sure we don't lose any of that, because ease of use is our primary focus.

What I definitely want to support in Snikket is logging in from XMPP clients without exposing your password to them (so you don't have to share your password with web clients like Movim). I'm more cautious about supporting different authentication backends, due to the reasons I mentioned above. We'll see where it all goes...

[kosssi]

Snikket was created to simplify the use of XMPP, I think setting up the OIDC is a continuity since it allows non-tech people to access several services with the same password.