MSC4326: Device masquerading for appservices (#4326)
Co-authored-by: Tulir Asokan <tulir@maunium.net>anoa/tweak_msc_checklist
Travis Ralston
2 months ago
committed by
GitHub
parent
130da801e3
commit
2b15b1074b
@ -0,0 +1,117 @@
|
|||||||
|
# MSC4326: Device masquerading for appservices
|
||||||
|
|
||||||
|
*History*: This proposal is split off from [MSC3202: Encrypted Appservices](https://github.com/matrix-org/matrix-spec-proposals/pull/3202).
|
||||||
|
|
||||||
|
Appservices today can make requests as any (local) user in their namespace through [identity assertion](https://spec.matrix.org/v1.15/application-service-api/#identity-assertion).
|
||||||
|
To support end-to-end encryption and other similar device-centric functionality, appservices need to
|
||||||
|
be able to also pick the device ID they are speaking as.
|
||||||
|
|
||||||
|
This proposal adds device ID to the identity assertion appservices can already perform, leaving other
|
||||||
|
aspects of end-to-end encryption support to other MSCs like MSC3202 (mentioned above).
|
||||||
|
|
||||||
|
|
||||||
|
## Proposal
|
||||||
|
|
||||||
|
To complement the (optional) `user_id` query string parameter during identity assertion, an also-optional
|
||||||
|
`device_id` parameter is also supported. The new `device_id` parameter is only available when `user_id`
|
||||||
|
is available to the caller - when authenticating using an `as_token`.
|
||||||
|
|
||||||
|
When both a `user_id` and `device_id` are provided, and both are known/registered, the server uses those
|
||||||
|
details for the remainder of the request. For many endpoints this means updating the "last seen IP"
|
||||||
|
and "last seen timestamp" for the device, though for some endpoints it may mean interacting with the
|
||||||
|
device specifically (such as when uploading one-time keys).
|
||||||
|
|
||||||
|
If the `device_id` does not already exist on the `user_id`, the server returns a `400 M_UNKNOWN_DEVICE`
|
||||||
|
standard error response.
|
||||||
|
|
||||||
|
If the `device_id` is present without a `user_id`, the `user_id` is assumed to be the appservice's
|
||||||
|
default sender (the user implied by `sender_localpart` in its registration). This is the same behaviour
|
||||||
|
as today when the appservice makes such requests.
|
||||||
|
|
||||||
|
If the `device_id` is present and the requester is not able to use identity assertion, the request
|
||||||
|
continues as though the `device_id` parameter was never present. This copies the behaviour of `user_id`.
|
||||||
|
|
||||||
|
### Examples
|
||||||
|
|
||||||
|
*All examples assume the `user_id` is within the appservice's scope.*
|
||||||
|
|
||||||
|
User ID asserted, but not device ID:
|
||||||
|
|
||||||
|
```text
|
||||||
|
GET /_matrix/client/v3/account/whoami?user_id=@alice:example.org
|
||||||
|
Authorization: Bearer as_token_here
|
||||||
|
|
||||||
|
{
|
||||||
|
"user_id": "@alice:example.org",
|
||||||
|
"is_guest": false
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
User ID and device ID asserted:
|
||||||
|
|
||||||
|
```text
|
||||||
|
GET /_matrix/client/v3/account/whoami?user_id=@alice:example.org&device_id=ABC123
|
||||||
|
Authorization: Bearer as_token_here
|
||||||
|
|
||||||
|
{
|
||||||
|
"user_id": "@alice:example.org",
|
||||||
|
"is_guest": false,
|
||||||
|
"device_id": "ABC123"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Just device ID asserted:
|
||||||
|
|
||||||
|
```text
|
||||||
|
GET /_matrix/client/v3/account/whoami?device_id=ABC123
|
||||||
|
Authorization: Bearer as_token_here
|
||||||
|
|
||||||
|
{
|
||||||
|
"user_id": "@the_appservice_sender:example.org",
|
||||||
|
"is_guest": false,
|
||||||
|
"device_id": "ABC123"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Nothing asserted:
|
||||||
|
|
||||||
|
```text
|
||||||
|
GET /_matrix/client/v3/account/whoami
|
||||||
|
Authorization: Bearer as_token_here
|
||||||
|
|
||||||
|
{
|
||||||
|
"user_id": "@the_appservice_sender:example.org",
|
||||||
|
"is_guest": false
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Potential issues
|
||||||
|
|
||||||
|
Appservices will need to create and manage their users' devices using another proposal or system. An
|
||||||
|
example is [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190).
|
||||||
|
|
||||||
|
|
||||||
|
## Alternatives
|
||||||
|
|
||||||
|
None relevant.
|
||||||
|
|
||||||
|
|
||||||
|
## Security considerations
|
||||||
|
|
||||||
|
The behaviour of `device_id` is largely copied from `user_id`, so should not increase or decrease an
|
||||||
|
appservice's capabilities beyond what it could already do. This is especially true for appservices
|
||||||
|
which cover "real" users in their namespaces: while they couldn't (and still can't) access data encrypted
|
||||||
|
before using something like [MSC3202](https://github.com/matrix-org/matrix-spec-proposals/pull/3202),
|
||||||
|
they could log out whatever devices they don't want and register new ones accordingly.
|
||||||
|
|
||||||
|
|
||||||
|
## Unstable prefix
|
||||||
|
|
||||||
|
For historical reasons, unstable implementations of this proposal should use `org.matrix.msc3202.device_id`
|
||||||
|
instead of `device_id`.
|
||||||
|
|
||||||
|
`ORG.MATRIX.MSC4326.M_UNKNOWN_DEVICE` is used as the error code instead of `M_UNKNOWN_DEVICE`.
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
None relevant. Some MSCs depend on this MSC's functionality, however.
|
||||||
Loading…
Reference in New Issue