Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove m.login.token and m.login.oauth2 UIA types #2609

Merged
merged 3 commits into from
Jul 28, 2020
Merged

Remove m.login.token and m.login.oauth2 UIA types #2609

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7c6636a
Remove `m.login.token` and `m.login.oauth2` UIA types
richvdh Jun 4, 2020
d9f9706
changelog
richvdh Jun 4, 2020
24d124d
Update changelogs/client_server/newsfragments/2609.removal
turt2live Jul 28, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions changelogs/client_server/newsfragments/2609.removal
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Remove unimplemented ``m.login.oauth2`` and ``m.login.token`` user-interactive authentication mechanisms.
75 changes: 6 additions & 69 deletions specification/client_server_api.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -431,13 +431,12 @@ User-Interactive Authentication API
Overview
<<<<<<<<

Some API endpoints require authentication that
interacts with the user. The homeserver may provide many different ways of
authenticating, such as user/password auth, login via a social network (OAuth2),
login by confirming a token sent to their email address, etc. This specification
does not define how homeservers should authorise their users but instead
defines the standard interface which implementations should follow so that ANY
client can login to ANY homeserver.
Some API endpoints require authentication that interacts with the user. The
homeserver may provide many different ways of authenticating, such as
user/password auth, login via a single-sign-on server (SSO), etc. This
specification does not define how homeservers should authorise their users but
instead defines the standard interface which implementations should follow so
that ANY client can login to ANY homeserver.

The process takes the form of one or more 'stages'. At each stage the client
submits a set of data for a given authentication type and awaits a response
Expand Down Expand Up @@ -663,11 +662,9 @@ Authentication types
This specification defines the following auth types:
- ``m.login.password``
- ``m.login.recaptcha``
- ``m.login.oauth2``
- ``m.login.sso``
- ``m.login.email.identity``
- ``m.login.msisdn``
- ``m.login.token``
- ``m.login.dummy``

Password-based
Expand Down Expand Up @@ -744,66 +741,6 @@ To use this authentication type, clients should submit an auth dict as follows:
"session": "<session ID>"
}

Token-based
<<<<<<<<<<<
:Type:
``m.login.token``
:Description:
The client submits a login token.

To use this authentication type, clients should submit an auth dict as follows:

.. code:: json

{
"type": "m.login.token",
"token": "<token>",
"txn_id": "<client generated nonce>",
"session": "<session ID>"
}


A client may receive a login ``token`` via some external service, such as email
or SMS. Note that a login token is separate from an access token, the latter
providing general authentication to various API endpoints.

Additionally, the server must encode the user ID in the ``token``; there is
therefore no need for the client to submit a separate username.

The ``txn_id`` should be a random string generated by the client for the
request. The same ``txn_id`` should be used if retrying the request. The
``txn_id`` may be used by the server to disallow other devices from using the
token, thus providing "single use" tokens while still allowing the device to
retry the request. This would be done by tying the token to the ``txn_id``
server side, as well as potentially invalidating the token completely once the
device has successfully logged in (e.g. when we receive a request from the
newly provisioned access_token).


OAuth2-based
<<<<<<<<<<<<
:Type:
``m.login.oauth2``
:Description:
Authentication is supported via OAuth2 URLs. This login consists of multiple
requests.
:Parameters:
``uri``: Authorization Request URI OR service selection URI. Both contain an
encoded ``redirect URI``.

The homeserver acts as a 'confidential' client for the purposes of OAuth2. If
the uri is a ``service selection URI``, it MUST point to a webpage which prompts
the user to choose which service to authorize with. On selection of a service,
this MUST link through to an ``Authorization Request URI``. If there is only one
service which the homeserver accepts when logging in, this indirection can be
skipped and the "uri" key can be the ``Authorization Request URI``.

The client then visits the ``Authorization Request URI``, which then shows the
OAuth2 Allow/Deny prompt. Hitting 'Allow' redirects to the ``redirect URI`` with
the auth code. Homeservers can choose any path for the ``redirect URI``. Once
the OAuth flow has completed, the client retries the request with the session
only, as above.

Single Sign-On
<<<<<<<<<<<<<<
:Type:
Expand Down