oauth2 authentication support in ejabberd

Question

I'm currently looking how I could use my oauth2 token from our own application to authenticate against ejabberd.

Is there any solution available which enables me to authenticate in our own product, then use that oauth2 JWT token to authenticate against ejabberd.

Or maybe a different question, how can I synchronize ejabberd users with my own applications users.

I'm looking for a Single Sign on way of working for our users.

I have seen suggestions to update the ejabberd users password with the token generated on each login. and then just login to ejabberd using the username and token. This however sounds more than a hack then a real solution.

Does anyone have experience with this? I don't have any experience with Erlang. Would be great if someone can point me in the right direction.

Answer 1

I see two main correct ways to implement token-based authentication for ejabberd:

• ejabberd custom authentication module: You can write a custom authentication module for ejabberd, using ejabberd hook API. You can use one of the existing Erlang ejabberd_auth*.erl as an example.

• Use a contribution that allows to authenticate against an HTTP backend and perform the token check in that backend. That would remove the need to write Erlang code. Such module is available on ProcessOne Github: ejabberd_auth_http.

Answer 2

Recently I faced the same problem and decided to write a simple ejabberd module:

https://github.com/yokomizor/ejabberd-auth-jwt

Works fine with ejabberd 18, and supports HMAC and RSA. I am using it in a small host, but looks stable so far.

I also found another module doing the same thing but a bit out dated: https://github.com/ParamountVentures/ejabberd-auth-jwt