archive
/
matrix-spec-proposals
mirror of https://github.com/matrix-org/matrix-spec-proposals
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More clarifications

Browse Source
pull/367/head
Richard van der Hoff 8 years ago
parent ec81b4c9fe
commit 1f1dfdd91c
2 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File

9
specification/client_server_api.rst
Unescape Escape View File

@ -407,7 +407,7 @@ Token-based
:Type: :Type:
``m.login.token`` ``m.login.token``
:Description: :Description:
The client submits a username and token. The client submits a login token.
To respond to this type, reply with an auth dict as follows: To respond to this type, reply with an auth dict as follows:
@ -415,7 +415,6 @@ To respond to this type, reply with an auth dict as follows:
{ {
"type": "m.login.token", "type": "m.login.token",
"user": "<user_id or user localpart>",
"token": "<token>", "token": "<token>",
"txn_id": "<client generated nonce>" "txn_id": "<client generated nonce>"
} }
@ -433,7 +432,8 @@ server side, as well as potentially invalidating the token completely once the
device has successfully logged in (e.g. when we receive a request from the device has successfully logged in (e.g. when we receive a request from the
newly provisioned access_token). newly provisioned access_token).
The ``token`` must be a macaroon. The ``token`` must be a macaroon, with a caveat encoding the user id. There is
therefore no need for the client to submit a separate username.
OAuth2-based OAuth2-based
<<<<<<<<<<<< <<<<<<<<<<<<
@ -563,6 +563,9 @@ To log in using a login token, a client should submit an auth dict as follows:
"token": "<login token>" "token": "<login token>"
} }
As with `token-based`_ interactive login, the ``token`` must be a macroon with
a caveat which includes the user id.
{{login_cs_http_api}} {{login_cs_http_api}}
{{logout_cs_http_api}} {{logout_cs_http_api}}

13
specification/modules/cas_login.rst
Unescape Escape View File

@ -33,7 +33,7 @@ An overview of the process, as used in Matrix, is as follows:
4. The CAS server responds to the user's browser with a redirect back to the 4. The CAS server responds to the user's browser with a redirect back to the
|/login/cas/ticket|_ endpoint on the homeserver, which the browser |/login/cas/ticket|_ endpoint on the homeserver, which the browser
follows. A 'ticket' identifier is passed as a query-parameter in the follows. A 'ticket' identifier is passed as a query parameter in the
redirect. redirect.
5. The homeserver receives the ticket ID from the user's browser, and makes a 5. The homeserver receives the ticket ID from the user's browser, and makes a
@ -41,7 +41,7 @@ An overview of the process, as used in Matrix, is as follows:
6. Having validated the ticket, the homeserver responds to the browser with a 6. Having validated the ticket, the homeserver responds to the browser with a
third HTTP redirect, back to the Matrix client application. A login token third HTTP redirect, back to the Matrix client application. A login token
is passed as a query-parameter in the redirect. is passed as a query parameter in the redirect.
7. The Matrix client receives the login token and passes it to the |/login|_ 7. The Matrix client receives the login token and passes it to the |/login|_
API. API.
@ -77,15 +77,16 @@ Handling the redirect endpoint
When responding to the ``/login/cas/redirect`` endpoint, the server must When responding to the ``/login/cas/redirect`` endpoint, the server must
generate a URI for the CAS login page. The server should take the base CAS URI generate a URI for the CAS login page. The server should take the base CAS URI
described above, and add a ``service`` query-parameter. This parameter MUST be described above, and add a ``service`` query parameter. This parameter MUST be
the URI of the ``/login/cas/ticket`` endpoint, including the ``redirectUrl`` the URI of the ``/login/cas/ticket`` endpoint, including the ``redirectUrl``
query-parameter. Because the homeserver may not know its base URI, this may query parameter. Because the homeserver may not know its base URI, this may
also require manual configuration. also require manual configuration.
.. TODO-spec: .. TODO-spec:
It might be nice if the server did some validation of the ``redirectUrl`` It might be nice if the server did some validation of the ``redirectUrl``
parameter, so that we could give more meaningful errors in the case of parameter, so that we could check that aren't going to redirect to a non-TLS
endpoint, and to give more meaningful errors in the case of
faulty/poorly-configured clients. faulty/poorly-configured clients.
Handling the authentication endpoint Handling the authentication endpoint
@ -97,7 +98,7 @@ check for certain user attributes in the response. Any required attributes
should be configured by the server administrator. should be configured by the server administrator.
Once the ticket has been validated, the server MUST map the CAS ``user_id`` Once the ticket has been validated, the server MUST map the CAS ``user_id``
to a valid `Matrix user idenitifier <../intro.html#user-identifiers>`_. The to a valid `Matrix user identifier <../intro.html#user-identifiers>`_. The
guidance in `Mapping from other character sets guidance in `Mapping from other character sets
<../intro.html#mapping-from-other-character-sets>`_ may be useful. <../intro.html#mapping-from-other-character-sets>`_ may be useful.

Write Preview
Loading…
Cancel
Save