Openfire and Oauth

Hi all,

Anyone already tried to use Oauth to authenticate access a private data from an user ? I read about XEP235 but i’m not sure if this is what a really wanted.

I want to generate a req/access token for an non openfire user ( or anonymous user ) access a private data from an openfire user.

What do u think is the best way to implement this kind of authentication ?

A plugin for openfire would do the job ? or i ll probably need to try some changes on openfire source code ?

thanks for your attention


have you found a solution to this problem? i am attempting to do the same thing!

Yes, you would need to implement XEP-235 to do this. Unfortunately, it appears that no one has implemented this in any XMPP server or client, and the standard is officially deferred / not recommended for implementation. I agree that this is a very desirable feature and hope the XMPP community gets moving forward on how to do this again… for now it appears to be stalled.

If there are alternate strategies for implementing a modern web based single sign on with XMPP chat I’d love to hear them. For Oauth you’re basically using a SAML or OpenID authentication to access a form that issues the Oauth token to you, so perhaps it would be possible to make a separate website that integrates with whichever tool and then sets the password in Openfire. Except then you would need to provide for robust revocation, which is a core part of Oauth, so this might not be doable.

For now my users have to maintain a separate userid and password for the chat service because it can’t leverage our enterprise SAML/OpenID implementation. (LDAP isn’t an option, it needs to be a claims based system)


I would like to authorize another web application to log in to my xmpp account, read and change my status, and send and receive messages. This without giving that other web application my password. I believe Oauth can do this and I am interested in implementing this.

My current idea is that the user logs in to openfire, receives a message from openfire itself, asking him to reply “YES” or “NO” to authorize a certain application, and if says “YES”, receives back a link to the web application.

This absent client support for oauth.

Kind Regards,

Emanuel Rietveld