MSN in Empathy with XMPP

A month and a half ago, Microsoft announced that they had added XMPP to their Windows Live APIs. That means that any Jabber client could connect to MSN using our favorite open IM protocol! No more closed protocol to reverse-engineer.

Unfortunately, logging into their service is a bit more complex than just providing a login and password: they support only OAUTH2-like authentication. The good thing is that gnome-online-accounts already supports oauth2 for Facebook and Google services, and I’ve seen while googling that the mechanism is pretty much the same as Facebook. So I’ve downloaded Microsoft’s documentation (registration required to get it), created my own Windows Live application, copied GOA’s Facebook code to start with, and replaced the bits according to MS’ doc and got the login page!

Creating Windows Live account in GnomeOnlineAccounts

Unfortunately, from there it was failing to get the access-token, turns out the documentation contradicts itself. In one place they describe the exact same mechanism as existing code for Facebook, and the other places have small differences… I’ll let you guess which way actually worked 😉

The Windows Live account created in GnomeOnlineAccounts

Then I had to write in empathy-auth-client (an app usually used to ask user the password) code to instead take the access-token from GOA’s DBus API and give it to telepathy-gabble (our XMPP backend). After fixing a few bugs in telepathy-glib, telepathy-gabble and wocky, EUREKA! Got my MSN account connected in Empathy! Unfortunately it seems the features exposed by their XMPP server are really limited, just like Facebook’s XMPP.

My MSN contacts in Empathy

At the same time, I’ve also added support in Empathy to connect to Facebook GOA accounts, and authenticate them using goa’s access-token instead of having to repeat the password.

Code source is available in bugzilla, waiting for review:

Still, we have an important issue:
This new auth mechanism require us to register a Facebook/Windows Live application. An application consists of a public ID and a secret key. Since gnome-online-accounts is open source code, it means the app’s secret key would be readable from its source code (atm it is given as configure flag), meaning that anyone could make its own malware claiming being the “GNOME” application. This could be considered by Facebook/Microsoft a violation of their service (if I understood correctly). For Google service, it is not a problem because they offer an “anonymous” application and it is user’s choice to accept to grant permission or not (again, if I understood correctly).

Thanks to Collabora for letting me working on this!