Romeo is an active XMPP IM (Instant Messaging) user. He convinces Juliet (who doesn't have an XMPP account yet) to install a client and register with some server. Now, Romeo only needs to create a mutual presence subscription with her, without yet knowing her JID.
This specification allows Romeo to create an out-of-band link (URI) which, when opened in Juilet's (or another user's) client, will:
The perceivable effect is that with a single click, Romeo and Juliet become "friends" in terms of XMPP presence subscription.
This specification makes use of XMPP URIs. The basic URI scheme for XMPP is defined in RFC 5122  and extended in XMPP URI Query Components (XEP-0147)  to support different actions like "roster" for roster addition and "subscribe" for presence subscription.
The process of mutual roster addition and subscription involves multiple steps:
The general idea of the protocol and the details of the individual steps are outlined in the following.
As Romeo doesn't know Juliet's JID, he needs to send an out-of-band invitation. Later, his client needs to match an incoming subscription request to this invitation, so it can perform a secure automatic roster addition and subscription approval. This matching is accomplished by means of an authentication token, which is generated by Romeo's client, added to the invitation link and then carried over into the subscription request eventually made by Juliet's client. Romeo's client can then compare the token received in a subscription request to the list of issued tokens, and automatically approve the subscription.
Whenever Romeo wishes to invite somebody to his roster, his client will generate an invitation link that contains a new authentication token. This document extends the "roster" URI action defined in XEP-0147 with a new key-value parameter named "preauth" to store the generated token. Romeo's client will create an xmpp: link containing Romeo's JID, the "roster" action, the "preauth" parameter with the token value, and optionally a "name" parameter with the suggested display name.
If the "preauth" parameter is present, the processing client is supposed not only to add the user to the roster, but also to automatically send a subscription request containing the authentication token.
Server-side implementation: it is possible (but out-of-scope for this document), to let the user's server handle generation of links as well as automatic approval of qualified subscription requests. One such approach is documented in Easy User Onboarding (XEP-0401) .
As Romeo doesn't know Juliet's JID in advance, he needs to use an out-of-band method (like e-mail, QR codes or NFC) to transmit the invitation link to Juliet. While these methods allow transmission of xmpp: URIs, there is no mechanism to ensure that Juliet actually has a client installed that can open the URI.
One way to solve this problem is to present Juliet with a web-based landing page that contains the following elements:
There are multiple options where such a landing page could be hosted:
A possible screen representation of the landing page would be:
When Juliet opens the xmpp: URI (or the according client-supported landing page URI) in her client, the client should perform the usual roster addition action, i.e. display a dialog allowing to edit the entry or to cancel the process. If Juliet completes the roster addition, the client SHOULD also send a subscription request to Romeo. This request SHOULD contain a 'preauth' element containing the authentication token from the invitation link.
If Juliet's server supports subscription pre-approval, the client SHOULD additionally pre-approve Romeo:
If Juliet's server does not indicate pre-approval support, her client SHOULD store Romeo's JID in a local auto-approval whitelist, together with an appropriate expiration time.
When Romeo's client receives a subscription request containing a 'preauth' element, it needs to extract the authentication token and check if the token is a valid one and was previously issued by the client (see security considerations below).
If the token is considered valid, the client SHOULD automatically approve the subscription request, add the sender of the subscription request to the roster and send a subscription request of its own.
If Juliet's server supports pre-approval, it will automatically handle the incoming subscription request and issue a roster push. Otherwise, Juliet's client will receive the subscription request:
Juliet's client MUST ensure that the sender JID is contained in the auto-approval whitelist before automatically approving the request. Otherwise, it has to fallback to the normal subscription approval process.
An implementation of this protocol MUST allow for a "graceful degradation" to the manual subscription approval process. If a client receives a malformed or unknown 'preauth' token, it MUST ignore it and act as if no preauth token was contained.
When sending a pre-authenticated subscription request, the contact's client MUST NOT expect an immediate successful approval. If the user's issuing client is currently offline, or if the token has expired, a manual approval will be performed. Therefore, the contact's client should use the same mechanism as before to indicate an unidirectional subscription.
As the authentication token grants automatic addition to Romeo's roster and automatic approval of presence subscription, the token SHOULD be created with a cryptographically secure random number generator  and provide sufficient entropy to make brute-force attacks infeasible. It is suggested to generate at least 80 bits of entropy, and to use an encoding that can be easily encoded as part of an URI (e.g. Base-32).
It is possible to use a different token generation scheme like Security Assertion Markup Language  or JWT (RFC 7519 ). In such a case, the issuer must ensure a comparable security level and limit token reuse.
To limit the potential for abuse, the token SHOULD be limited in as follows:
If a token is considered invalid (due to failing any of the above conditions, or for other reasons), a client MUST fall back to manual roster addition and manual subscription approval.
A Monkey-in-the-Middle attacker who gains access to the invitation link can manipulate its fields or redeem the link themselves. However, this is true for all communication performed using the chosen medium and is out of scope for this document.
Ideally, Romeo's client should highlight automatically-added roster items and provide an easy mechanism to remove them and cancel their subscription.
An attacker can lure the user by providing an invitation link with a 'name' parameter that does not match the JID. Therefore, a client SHOULD always display both the JID and the proposed display name when adding a roster item.
When the user's client automatically approves a subscription, it SHOULD add the new contact to the roster without a 'name' or with the 'name' equal to the JID, to prevent impersonation attacks.
If a user is logged in with multiple clients, some of their clients will receive a subscription request with an unknown token. In this case, a client MAY delay the user notification for a short time, to allow another logged-in client to automatically handle the subscription request.
Some mobile device platforms allow an app to register itself as a handler for cetain URIs. This allows an XMPP client to register for xmpp: URIs, but also to redirect handling of cetain HTTP/HTTPS URIs. A mobile client SHOULD register for the associated landing page URIs and properly handle the contained invitations. For example, the JuicyXMPP client should register a handler for https://juicyxmpp.example/i/*, and present the "Add to roster" dialog if such a link is opened. A client MAY register for the landing page URIs of other providers after obtaining the operators' approval.
By default, Romeo's client should generate personal invitation links that can only be redeemed once, and only for a limited time. This fact SHOULD be indicated by the client UI to Romeo.
If a client allows customization of the validity time or the number of uses for a given invitation token, it SHOULD provide clear language to inidcate that.
When a new contact is added automatically by the client, it SHOULD indicate this fact to the user, and allow the user to rename / group the contact appropriately. One possible way to achieve this is by putting all auto-added contacts into a special roster group, and by automatically removing this group on the first manual edit of the contact.
In this case, the roster group should be named by the client according to the user's locale settings. However, this approach might lead to different clients using different group names, resulting in multiple roster groups with the same goal.
This document requires no interaction with the Internet Assigned Numbers Authority (IANA) .
Include the "urn:xmpp:pars:0" namespace in the registry of protocol namespaces. Include "preauth" as an additional key-value parameter to the roster query action.
REQUIRED for protocol specifications.
This document in other formats: XML PDF
This XMPP Extension Protocol is copyright © 1999 – 2019 by the XMPP Standards Foundation (XSF).
Permission is hereby granted, free of charge, to any person obtaining a copy of this specification (the "Specification"), to make use of the Specification without restriction, including without limitation the rights to implement the Specification in a software program, deploy the Specification in a network service, and copy, modify, merge, publish, translate, distribute, sublicense, or sell copies of the Specification, and to permit persons to whom the Specification is furnished to do so, subject to the condition that the foregoing copyright notice and this permission notice shall be included in all copies or substantial portions of the Specification. Unless separate permission is granted, modified works that are redistributed shall not contain misleading information regarding the authors, title, number, or publisher of the Specification, and shall not claim endorsement of the modified works by the authors, any organization or project to which the authors belong, or the XMPP Standards Foundation.
## NOTE WELL: This Specification is provided on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. ##
In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall the XMPP Standards Foundation or any author of this Specification be liable for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising from, out of, or in connection with the Specification or the implementation, deployment, or other use of the Specification (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if the XMPP Standards Foundation or such author has been advised of the possibility of such damages.
This XMPP Extension Protocol has been contributed in full conformance with the XSF's Intellectual Property Rights Policy (a copy of which can be found at <https://xmpp.org/about/xsf/ipr-policy> or obtained by writing to XMPP Standards Foundation, P.O. Box 787, Parker, CO 80134 USA).
The Extensible Messaging and Presence Protocol (XMPP) is defined in the XMPP Core (RFC 6120) and XMPP IM (RFC 6121) specifications contributed by the XMPP Standards Foundation to the Internet Standards Process, which is managed by the Internet Engineering Task Force in accordance with RFC 2026. Any protocol defined in this document has been developed outside the Internet Standards Process and is to be understood as an extension to XMPP rather than as an evolution, development, or modification of XMPP itself.
The primary venue for discussion of XMPP Extension Protocols is the <email@example.com> discussion list.
Discussion on other xmpp.org discussion lists might also be appropriate; see <http://xmpp.org/about/discuss.shtml> for a complete list.
Given that this XMPP Extension Protocol normatively references IETF technologies, discussion on the <firstname.lastname@example.org> list might also be appropriate.
Errata can be sent to <email@example.com>.
The following requirements keywords as used in this document are to be interpreted as described in RFC 2119: "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".
6. Security Assertion Markup Language <http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security>.
8. The Internet Assigned Numbers Authority (IANA) is the central coordinator for the assignment of unique parameter values for Internet protocols, such as port numbers and URI schemes. For further information, see <http://www.iana.org/>.
Note: Older versions of this specification might be available at http://xmpp.org/extensions/attic/
Change URI format, editing, add reference to XEP-0401.
Added "Usability Considerations", removed actual XMPP client, some text editing.
Minor DTD and formatting fixes.