{"id":14288,"date":"2011-08-06T16:16:32","date_gmt":"2011-08-06T16:16:32","guid":{"rendered":"https:\/\/wordpress.org\/plugins-wp\/xmpp-auth\/"},"modified":"2016-01-15T14:33:09","modified_gmt":"2016-01-15T14:33:09","slug":"xmpp-auth","status":"publish","type":"plugin","link":"https:\/\/szl.wordpress.org\/plugins\/xmpp-auth\/","author":407694,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_crdt_document":"","version":"0.6","stable_tag":"0.6","tested":"4.4.34","requires":"3.2.0","requires_php":"","requires_plugins":"","header_name":"XMPP-Auth","header_author":"Jehan Hysseo","header_description":"","assets_banners_color":"","last_updated":"2016-01-15 14:33:09","external_support_url":"","external_repository_url":"","donate_link":"http:\/\/libreart.info\/en\/donate","header_plugin_uri":"https:\/\/wordpress.org\/plugins\/xmpp-auth\/","header_author_uri":"http:\/\/girinstud.io","rating":5,"author_block_rating":0,"active_installs":10,"downloads":2821,"num_ratings":1,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":[],"upgrade_notice":{"0.4":"<p>French localization available. DNS cached for improved performance. SCRAM-* support added.<\/p>","0.3":"<p>Users can now customize IM integration in their profiles. IPv6 support. Core\nrewritten.<\/p>","0.2":"<p>Per-feature deactivation allowed and experimental component support.<\/p>","0.1.5":"<p>This version fixes TLS certificates (for encryption).\nThe previous version was likely failing to validate your server certificate,\nhence connect.<\/p>","0.1":"<p>Initial Release. Experimental version.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":"1"},"assets_icons":[],"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["0.1","0.1.5","0.2","0.3","0.4","0.6"],"block_files":[],"assets_screenshots":{"screenshot-2.png":{"filename":"screenshot-2.png","revision":"1567238","resolution":"2","location":"plugin"},"screenshot-1.jpg":{"filename":"screenshot-1.jpg","revision":"1567238","resolution":"1","location":"plugin"}},"screenshots":{"1":"Visitor posts a comment and receive a confirmation request by pop-up through\none's IM client (here Psi+).","2":"Configuration page."},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[710,107,17110,72910,17111],"plugin_category":[38,44],"plugin_contributors":[],"plugin_business_model":[],"class_list":["post-14288","plugin","type-plugin","status-publish","hentry","plugin_tags-authentication","plugin_tags-comments","plugin_tags-jabber","plugin_tags-xep-0070","plugin_tags-xmpp","plugin_category-authentication","plugin_category-discussion-and-community","plugin_committers-jehan"],"banners":[],"icons":{"svg":false,"icon":"https:\/\/s.w.org\/plugins\/geopattern-icon\/xmpp-auth.svg","icon_2x":false,"generated":true},"screenshots":[{"src":"https:\/\/ps.w.org\/xmpp-auth\/trunk\/screenshot-1.jpg?rev=1567238","caption":"Visitor posts a comment and receive a confirmation request by pop-up through\none's IM client (here Psi+)."},{"src":"https:\/\/ps.w.org\/xmpp-auth\/trunk\/screenshot-2.png?rev=1567238","caption":"Configuration page."}],"raw_content":"<!--section=description-->\n<p>This plugin has two main features:<\/p>\n\n<ul>\n<li>any reader on your website can comment if one has an Instant Messaging\naddress (XMPP protocol, otherwise called Jabber. A Gmail or a LiveJournal\naccount for instance are such standard IM identifiers as well);<\/li>\n<li>a subscribed user (whatever its role) can authenticate with one's IM\naddress if they set their IM address.<\/li>\n<\/ul>\n\n<p>This plugin is still in experimental state but is usable.<\/p>\n\n<h4>Detailed Process<\/h4>\n\n<p>The authentication part is something like openID, except that it uses your\nexisting IM address: you ask for authentication on a website, and it pops-up a\nconfirmation via IM (that you can accept, or refuse).<\/p>\n\n<p>Considering that the IM protocol (XMPP) is very secure,\nall the infrastructure to securely exchange an authentication request is\nthere. No need to make any new account, no need a special client, nor a\nidentity third party provider, and that's really instantaneous (as <em>instant<\/em>\nmessaging) and more secure than HTTP or SMTP protocols.<\/p>\n\n<h4>Spam Protection<\/h4>\n\n<p>It adds an additional layer to protect against Spam by verifying an\nidentity using a very secure and modern protocol (XMPP), which also is instant,\nhence much more reliable in any way than email for instance.<\/p>\n\n<h4>Secure and Easy Login<\/h4>\n\n<p>Many reasons to use such a plugin for login:<\/p>\n\n<ul>\n<li>not to have to remember a new password (password-login can be disabled in\nyour profile, on a per-user choice);<\/li>\n<li>you are in a very insecure environment (for instance a cybercafe) and consider\nonly your IM account to be a minimum securized. Or better, you run an IM\nclient on your smartphone (or a similar tool), so you would receive the query\non this personal item while never typing any kind of password on the insecure\nplatform where you log.<\/li>\n<li>And so on.<\/li>\n<\/ul>\n\n<h3>Configuration<\/h3>\n\n<h4>Publishing Account<\/h4>\n\n<p>This section contains the connection parameters of the account which will be\nused as a wordpress bot. I would personnaly advice to create a dedicated account\njust for it (you may also use your personal account of course, as the plugin's\nbot will create a resource identifier unique for every connection) and to\nconfigure it to refuse any contact and communication (as noone will have to\nadd it to one's roster, except you maybe for test or debugging purpose?).\nThe fields are:<\/p>\n\n<ul>\n<li>The bot address (bare jid form: mybotname@myserveraddress);<\/li>\n<li>the password.<\/li>\n<\/ul>\n\n<h4>Advanced Connection Parameters<\/h4>\n\n<p>By default xmpp-auth can use SRV records which is a recommended way to\nadvertize server and port from a domain name (see for instance\nhttp:\/\/dns.vanrein.org\/srv\/ for details).<\/p>\n\n<p>This is an advanced section in case your server does not use SRV AND uses a server\nwhich is not the same as the domain from the jid or a port different from the\ndefault one (5222).<\/p>\n\n<p>Hence there will be very very few cases where you will have to fill this\nsection and if you don't understand all what I say here, just don't fill\nanything there (if you fill even only one field, then it will be used instead\nof SRV and default values).<\/p>\n\n<p>The default values will be used if the fields are empty and no SRV is configured on\nthe Jabber server:<\/p>\n\n<ul>\n<li>the XMPP server (often the same as 'myseveraddress' of the jid);<\/li>\n<li>the XMPP port (usually 5222).<\/li>\n<\/ul>\n\n<h3>TODO<\/h3>\n\n<p>Features I am considering:<\/p>\n\n<ul>\n<li>check quickstart (http:\/\/xmpp.org\/extensions\/inbox\/quickstart.html). In\nparticular, I should at least cache DNS lookups now.<\/li>\n<li>deactivate IM features when plugin not configured.<\/li>\n<li>For comments, use the IM avatar of the commenter instead of gravatar;<\/li>\n<li>Make various notifications usually done by email be done by IM instead (if\nadequate);<\/li>\n<li>Display the comment's JID on the admin page (as we display the email\naddress, obviously only for administrators);<\/li>\n<li>Add Scram-* to SASL package;<\/li>\n<li>Make the generic XMPP part a PEAR package.<\/li>\n<li>Subscribe with XMPP JID.<\/li>\n<li>Login with JID or username (both possible).<\/li>\n<li>If password is disabled, it also cannot be resetted.<\/li>\n<li>Make user choose to receive password reset or other notification through IM\ninstead of email.<\/li>\n<\/ul>\n\n<h3>XMPP Features<\/h3>\n\n<p>Full Secure XML Stream with:<\/p>\n\n<ul>\n<li>TLS (with real certificate verification, so confidentiality and\nauthentication);<\/li>\n<li>SASL (Digest-MD5, CRAM-MD5 and PLAIN only for now);<\/li>\n<li>SRV records \"randomization\" algorithm.<\/li>\n<\/ul>\n\n<h3>Contacts<\/h3>\n\n<p>You can have some news about this plugin on <a href=\"http:\/\/jehan.zemarmot.net\" title=\"my public diary\">my freedom\nhaven<\/a>.\nYou can also drop me an instant message on \"hysseo\" at zemarmot.net.<\/p>\n\n<p>Have a nice life!<\/p>\n\n<!--section=installation-->\n<p><strong>The easy way<\/strong> is via your installed Wordpress's administration pages:<\/p>\n\n<ol>\n<li>Click <code>Plugins<\/code> &gt; <code>Add New<\/code>;<\/li>\n<li>Search for <code>xmpp-auth<\/code>;<\/li>\n<li>Find it in the displayed list;<\/li>\n<li>Click <code>Install Now<\/code>.<\/li>\n<\/ol>\n\n<p><strong>Alternatively<\/strong>, here is the old \"manual\" version:<\/p>\n\n<ol>\n<li>Upload the plugin archive to <em>wp-content\/plugins\/<\/em> directory on your Wordpress installation;<\/li>\n<li>Uncompress it by keeping it in its own sub-directory called <em>xmpp-auth\/<\/em>;<\/li>\n<li>Activate the plugin through the 'Plugins' menu in Wordpress;<\/li>\n<li>Configure the plugin through the appearing sub-menu <code>XMPP Authentication<\/code>\nunder the <code>Plugins<\/code> menu;<\/li>\n<li>When aknowledging the configuration by pressing the <code>Update<\/code> button, login\nwill be tested (a connection will be attempted). If anything is wrong with\nyour configuration, you will be immediately informed.<\/li>\n<\/ol>\n\n<p><strong>Once installed<\/strong>, I would suggest to modify the configuration in <em>Settings<\/em> &gt;\n<em>Discussion<\/em> &gt; uncheck <em>Comment author must fill out name and e-mail<\/em> as they\nwill be verified by XMPP (but the fields will stay if the user wants to add\nthem in).<\/p>\n\n<p>Also the new comment field (for JID) is automatically displayed if you use a\nrecent theme (because it uses a function newly added since 3.0). If you don't\nsee the new field after activating, don't panick. 4 solutions:<\/p>\n\n<ol>\n<li>the simpler: use a more recent theme. The default <em>twentyten<\/em> and\n<em>twentyeleven<\/em> will work perfectly without doing anything;<\/li>\n<li>if you don't want to change your theme, try to contact the theme writers\nand ask them if they could not support the generic (and now \"adviced\")\ncomment_form() feature (they will understand);<\/li>\n<li>you know PHP\/HTML and want to do it fast: simply check the file\ncomments.php of your theme. and either replace the whole form by this\nsimpler function: <code>&lt;?php comment_form(); ?&gt;<\/code> yourself;<\/li>\n<li>or if you want to do it manually, add the following code (can be modified,\nbut what matters obviously is the id of the input field):<\/li>\n<\/ol>\n\n<p>*\n    \n    <\/p>\n\n<p>My advice is <strong>obviously<\/strong> to go for the first and the second solutions. The\nthird one is really when you want to do this fast (but still you should report\nthis to the theme writers for them to update upstream) and the fourth is a\nlast resort if you have some very atypical comment form.<\/p>\n\n<h4>dependencies<\/h4>\n\n<ul>\n<li><p>PHP &gt; 5.1.0 (for function <em>stream_socket_enable_crypto<\/em>).<\/p><\/li>\n<li><p><strong>expat<\/strong> library to parse XML (enabled with the <code>--with-xml<\/code>\noption of the php compilation).<\/p><\/li>\n<\/ul>\n\n<p><em>Note for gentoo users<\/em>: you must set the 'xml' USE flag.<\/p>\n\n<ul>\n<li><p><strong>OpenSSL<\/strong> (&gt; 0.9.6) must be installed on the server and PHP must be built\nwith <code>--with-openssl<\/code>.<\/p><\/li>\n<li><p><em>OPTIONAL<\/em>: if the plugin is installed on a BSD (Mac included),\nin order to use the SRV records on the admin JID, which is the correct way of\nresolving the server and port addresses for a domain, the <em>PEAR<\/em> extension\n<strong>NET_DNS<\/strong> must be installed: <code>pear install NET_DNS<\/code> (Note that it will ask\nto have php compiled with <code>mhash<\/code> option).\nIf it is installed on Windows, it is not anymore useful if you have PHP\n5.3.0 or later installed (under this version of PHP, you should also install\nthe NET_DNS extension to benefit SRV records).\nLinux servers do not need this extension to have SRV.<\/p><\/li>\n<\/ul>\n\n<p><em>Note for gentoo users<\/em>: you must set the 'mhash' USE flag.<\/p>\n\n<h4>Working Platforms<\/h4>\n\n<p>This script has been tested only currently on Wordpress 3.2.1 up to Wordpress\n3.2.1 with PHP 5.3.5 up to PHP 5.3.8, running on a GNU\/Linux 64 bits (Gentoo\nLinux).\nHopefully it should work with other software versions (not for PHP4, because\nof the TLS feature which is PHP5 specific. Yet if you are really interested\ninto PHP4 compatibility and if TLS is not required for your connection, just\nask me, I will try to make a compatibility layer), but I cannot guarantee.\nTell me please if you tried this successfully with another configuration so\nthat I update the known working platforms list.<\/p>\n\n<p>At the opposite, if you find a bug or encounter an issue on some\nconfiguration, don't hesitate to tell me, and I will try and fix it.<\/p>\n\n<!--section=faq-->\n<dl>\n<dt>Will it work with any web browser and any IM client?<\/dt>\n<dd><p>On the web side, the XEP-0070 uses RFC-2617, which is a common way to\nauthenticate to websites. On the XMPP-side, RFC-6120 and XEP-0070 have a nice\nway for clients which do not understand a given feature for falling back into\na message to answer, as though it was a discussion.<\/p>\n\n<p>So hopefully it \"should\" work in most case with not-too broken web browser or\nIM client.\nFor IM clients, it should work (tested or reported by someone) with Psi,\nGajim, OneTeam\u2026 In particular, it is known not to work with Pidgin, Adium,\nSwift, and the GoogleMail web interface.<\/p><\/dd>\n<dt>I get \"Warning: require_once(Auth\/SASL\/DigestMD5.php)\" or another similar warning<\/dt>\n<dd><p>You should check the Installation\/dependencies section. Some PHP modules are\nnecessary. If you are administrator or have flexible administrators, this will\nbe very easily fixable (follow my instructions in the \"dependencies\" section).\nIf you use a public service, which did not install these dependencies by\ndefault, and where you cannot have anything installed, then I am sorry but my\nplugin unfortunately won't work for you (actually for PEAR modules, you may\nadd them by hand, as they are pure PHP. But you would need to be developers\nfor the manipulation).<\/p><\/dd>\n<dt>When configuring, I get: \"Authentication failure: TLS negotiation failed.\"<\/dt>\n<dd><p>This means that your server uses TLS (and that's good!) but simply I did not\npackage the certificate of their CA into my plugin. Please just tell me (see\n\"Contacts\" section) your server, I will check the CA and if it is an\nacceptable one, I will add its certificate.<\/p>\n\n<p>It may also mean that the server certificate is self-signed, which is really not\nsecure. If many servers are this way, I may consider adding an option to\nforce such connection, but I would prefer not. If this happens to you, I\nwould rather suggest you to change the server of your bot for one where\nsecurity matters.<\/p><\/dd>\n<dt>The new \"JID\" field does not appear in the comment form!<\/dt>\n<dd><p>You most probably use an outdated theme which does not use recent Wordpress\nfeatures about commenting (since 3.0). This is not a blocker. See the bottom\nof the \"Installation\" tab. I provide the solutions to this issue.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>0.6<\/h4>\n\n<ul>\n<li>Fix comment validation.<\/li>\n<li>Comment validation through XMPP is now marked as \"experimental\".\nThough still functional, I find the user experience crappy. I will want to\nreview this deeply before considering it in release state.<\/li>\n<li>Comment validation times out at 50 sec (was 30).<\/li>\n<li>Transaction IDs are 6 characters. This makes them easier to copy, even on\nsmaller virtual keyboard (for instance to validate on your personal smartphone\na login made on a third-party untrusted machine).<\/li>\n<\/ul>\n\n<h4>0.5<\/h4>\n\n<ul>\n<li>Update SASL lib to Auth_SASL2 0.1.0.<\/li>\n<li>Fix Cacert root certificate.<\/li>\n<li>Add Let's Encrypt root certificate.<\/li>\n<li>Improving\/experimenting the protocole from XEP-0070. It should be more\nuser-friendly, while still staying secure.<\/li>\n<\/ul>\n\n<h4>0.4<\/h4>\n\n<ul>\n<li>When login is disabled, login page look is not modified.<\/li>\n<li>When comments is disabled, I still display the JID field, but simply don't\nprocess anything and without the '*' of mandatory fields.<\/li>\n<li>Localization prepared and French localization available.<\/li>\n<li>DNS results are now cached. I use the ttl of records (maximum 1 week, as\nproposed in RFC-1035) and reorder cached data using failure and success\nknowledge.<\/li>\n<li>PEAR Auth_SASL coded is included in the plugin, hence the dependency is no more.<\/li>\n<li><p>A patch has been sent upstream for SCRAM support.<\/p><\/li>\n<li><p>After many years of inactivity, I fixed all the code and tested it against\nWordpress 4.4.1.<\/p><\/li>\n<li>Root certificates were also updated.<\/li>\n<\/ul>\n\n<h4>0.3<\/h4>\n\n<ul>\n<li>Profile page configuration: per-user choice to disable password, IM\nauthentication, or use both.<\/li>\n<li>IPv6 support and better DNS integration.<\/li>\n<li>The core XMPP library has been rewritten in a much more robust, hence secure\nAPI. The current version had been started in 2008. My first XMPP experiment\nthat I used for the plugin Jabber Feed (that I will probably soon merge with\nthe current plugin) and the API was not very nice and could break more\neasily on some unexpected outputs.<\/li>\n<\/ul>\n\n<h4>0.2<\/h4>\n\n<ul>\n<li>Admins have now possibility to deactivate the plugin on a per-feature basis.<\/li>\n<li>Experimental component support.<\/li>\n<li>\"Jabber \/ Google Talk\" in profile renamed to \"Standard IM\".<\/li>\n<\/ul>\n\n<h4>0.1.5<\/h4>\n\n<ul>\n<li>TLS certificates were not properly configured.<\/li>\n<li>Various fixes.<\/li>\n<\/ul>\n\n<h4>0.1<\/h4>\n\n<p>Initial Release.\nThe plugin can be used to login as a user, or post comments as an unsubscribed\nvisitor.<\/p>","raw_excerpt":"Allows users to authenticate without password via XMPP and for visitors to be filtered by XMPP verification.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/14288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=14288"}],"author":[{"embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/jehan"}],"wp:attachment":[{"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=14288"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=14288"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=14288"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=14288"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=14288"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/szl.wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=14288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}