Movim is a social-oriented XMPP client, so yes, it needs to log in to your account. You don't have to use the mov.im instance - in an ideal world your own server can run a copy of Movim, but you can also self-host, or even run it locally on your system.
This year I'm also going to be working on account access delegation for XMPP as part of a funded project, resulting in implementation in Prosody (server software) and publishing/updating related standards. That's the kind of thing Movim would be able to take advantage of so you can grant (restricted) account access to a remote Movim instance without sharing your password.
> This year I'm also going to be working on account access delegation for XMPP as part of a funded project, resulting in implementation in Prosody (server software) and publishing/updating related standards.
So that I can do something along the lines of "Log in with XMPP" and then my client asks me "hey do you wanna allow movim.eu to access foo/do bar on your behalf" ?
That sounds very useful. Sharing my password like this does not seem a great idea.
That's slightly different. XEP-0070 is about allowing someone to verify that you own a given XMPP address. That is indeed often all you need for a "Log in with XMPP" functionality. Just how many sites allow you to log in with an email + verification link today.
However it does not grant someone the ability to connect to your account and perform any actions. Movim is an XMPP client. It interacts with the XMPP network as you, not as a third-party. That's very different to what XEP-0070 is for.
Currently the only practical way to allow someone access to your XMPP account is to give them your credentials. But if you do that, there's no way to restrict, monitor or revoke their access (apart from changing your password - something they would also be able to do!).
Many XMPP server implementations already implement some of the building blocks for something better (e.g. Prosody and ejabberd both support OAuth in some form already). But there are a number of important missing pieces before we can get it usable and adopted, and that's what I will be focusing on this year.
Again, in Movim's case it's fully open-source. You can self-host it or run it on your laptop, so you're never forced to hand over your credentials to any third party today. But many people would find a mechanism to grant a third-party limited access to their account an acceptable solution, so they can use Movim instances hosted by others.
Oh i was not aware you're working on proper authorization/delegation for XMPP. That's really cool! Can't wait to see your blogpost on this topic on HN front page :)
This year I'm also going to be working on account access delegation for XMPP as part of a funded project, resulting in implementation in Prosody (server software) and publishing/updating related standards. That's the kind of thing Movim would be able to take advantage of so you can grant (restricted) account access to a remote Movim instance without sharing your password.