MSC2965: OAuth 2.0 Authorization Server Metadata discovery #2965
Conversation
turt2live
changed the title
turt2live
added
kind:feature
turt2live
added
the
needs-implementation
Are any other examples planned? I’m using Ory for several apps that I’d like to also connect together with Matrix. It also strikes me as a conveniently lightweight example for Matrix, which also aligns well with Dendrite since it’s in Go. |
|
@erlend-sh Good suggestion, thank you - I've added element-hq/oidc-playground#3 to track this. |
hughns
changed the title
|
Implementation lgtm. Concerns are relatively minor as well: @mscbot fcp merge |
|
Team member @mscbot has proposed to merge this. The next step is review by the rest of the tagged people: Concerns:
Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for information about what commands tagged team members can give me. |
mscbot
added
proposed-final-comment-period
turt2live
removed
the
implementation-needs-checking
mscbot
added
the
unresolved-concerns
Co-authored-by: Travis Ralston <[email protected]>
mscbot
removed
the
unresolved-concerns
|
|
||
| If the homeserver does not offer next-generation authentication as described in [MSC3861], this endpoint should return a 404 with the `M_UNRECOGNIZED` error code. | ||
|
|
||
| In this case, clients should fall back to using the User-Interactive Authentication flows instead to authenticate the user. |
There was a problem hiding this comment.
Isn't /login the main User-Interactive Authentication flow?
proposals/2965-auth-metadata.md
Outdated
| The first option would require making well-known documents mandatory on the server name domain, with a document that may need to be updated more frequently than existing ones. | ||
| This isn't practical for some server deployments, and clients may find it challenging to consistently perform this discovery. | ||
|
|
||
| The second option is also impractical, as all other Matrix APIs on this domain are prefixed with `/_matrix`, and it could easily be confused with the set of well-known documents hosted on the server name domain. |
There was a problem hiding this comment.
I don't understand this -- I think the thread (https://github.com/matrix-org/matrix-spec-proposals/pull/2965/files#r1924524746) talks about before/after finding the client API. That rationale seems to be missing here.
Frankly to me, I'd expect this to be under well-known.
This is the method to get the server metadata in the latest draft of [MSC2965](matrix-org/matrix-spec-proposals#2965). We still keep the old behavior with `GET /auth_issuer` as fallback for now because it has wider server support. There are some pre-main commit cleanups to simplify the main commit. This can be reviewed commit by commit. The changes were tested with the oidc_cli example on beta.matrix.org. Closes #4550. --------- Signed-off-by: Kévin Commaille <[email protected]>
Co-authored-by: Richard van der Hoff <[email protected]>
…rnatives section.
Rendered
Status:
Dependencies:
Clients and homeservers currently implement an older version of this proposal, and need to be updated:
/auth_metadataendpoint defined in MSC2965. element-hq/synapse#18093/auth_metadataAPI matrix-js-sdk#4626SCT:
tickyboxes
checklist