Merge branch 'master' into travis/spec/is-auth

.circleci/config.yml

@@ -121,4 +121,4 @@ workflows:
 
 notify:
   webhooks:
-    - url: https://giles.cadair.com/circleci
+    - url: https://giles.cadair.dev/circleci

api/client-server/registration.yaml

@@ -95,18 +95,6 @@ paths:
                   should be authenticated, but is instead used to
                   authenticate the ``register`` call itself.
                 "$ref": "definitions/auth_data.yaml"
-              bind_email:
-                type: boolean
-                description: |-
-                  If true, the server binds the email used for authentication to
-                  the Matrix ID with the identity server.
-                example: false
-              bind_msisdn:
-                type: boolean
-                description: |-
-                  If true, the server binds the phone number used for authentication
-                  to the Matrix ID with the identity server.
-                example: false
               username:
                 type: string
                 description: |-

changelogs/client_server/newsfragments/2279.feature

@@ -0,0 +1 @@
+Remove ``bind_msisdn`` and ``bind_email`` from ``/register`` now that the identity server's bind endpoint requires authentication.

proposals/2140-terms-of-service-2.md

@@ -1,5 +1,7 @@
 # MSC2140: Terms of Service API for Identity Servers and Integration Managers
 
+*Note*: This MSC was added to in [MSC2264](https://github.com/matrix-org/matrix-doc/pull/2264)
+
 [MSC1692](https://github.com/matrix-org/matrix-doc/issues/1692) introduces a
 method for homeservers to require that users read and agree to certain
 documents before being permitted to use the service. This proposal introduces a
@@ -277,6 +279,16 @@ Clients may add IS bindings for 3PIDs that already exist on the user's
 Homeserver account by using the `POST /_matrix/client/r0/account/3pid`
 to re-add the 3PID.
 
+### Unstable feature flag for transition
+
+In order to allow client implementations to determine if the homeserver they are developed
+against supports `id_access_token`, an unstable feature flag of `m.id_access_token`
+is to be added to `/versions`. When the flag is `false` or not present, clients must assume
+that the homeserver does not support being given `id_access_token` and may receive an error
+for doing so. Clients are expected to use the supported specification versions the homeserver
+advertises instead of the feature flag's presence once this proposal is included in a release
+of the specification.
+
 ## Tradeoffs
 
 The Identity Service API previously did not require authentication, and OpenID

proposals/2263-homeserver-pw-resets.md

@@ -0,0 +1,56 @@
+# MSC2263: Give homeservers the ability to handle their own 3PID registrations/password resets
+
+In order to better protect the privacy of a user, Matrix is wanting to shift to
+a model where identity servers have less control over the affairs of the homeserver.
+Identity servers are currently used to reset the passwords of users on a given homeserver
+as an identity verification technique, however there is no reason why the homeserver
+itself can't handle the verification. This proposal allows for a homeserver to verify
+the identity of users itself, without the use of an identity server.
+
+## Proposal
+
+The `id_server` parameter is to become optional on the following endpoints:
+
+* `/_matrix/client/:version/account/3pid/:medium/requestToken`
+* `/_matrix/client/:version/register/:medium/requestToken`
+* `/_matrix/client/:version/account/password/:medium/requestToken`
+
+The `id_server` parameter is additionally deprecated with intention of being removed
+in a future specification release on the `/register/:medium` and `/account/password/:medium`
+endpoints. Once appropriate adoption has been achieved, the specification can safely
+remove the parameter as supported. The reason for this deprecation is to completely
+remove the identity server's ability to be involved in password resets/registration.
+Users wishing to bind their 3rd party identifiers can do so after registration, and
+clients can automate this if they so desire.
+
+Note that `bind_email` and `bind_msisdn` on `/register` have already been removed
+by [MSC2140](https://github.com/matrix-org/matrix-doc/pull/2140).
+
+As per [MSC2140](https://github.com/matrix-org/matrix-doc/pull/2140), an `id_access_token`
+is required only if an `id_server` is supplied.
+
+Although not specified as required in the specification currently, the `id_server`
+as part of User-Interactive Authentication is also optional if this proposal is accepted.
+When the client requests a token without an `id_server`, it should not specify an
+`id_server` in UIA.
+
+Homeservers can reuse HTTP 400 `M_SERVER_NOT_TRUSTED` as an error code on the `/requestToken`
+endpoints listed above if they do not trust the identity server the user is supplying.
+
+In order to allow client implementations to determine if the homeserver they are developed
+against supports `id_server` being optional, an unstable feature flag of `m.require_identity_server`
+is to be added to `/versions`. When the flag is `true` or not present, clients must assume
+that the homeserver requires an `id_server` (ie: it has not yet considered it optional).
+If this proposal is accepted, clients are expected to use the supported specification versions
+the homeserver advertises instead of the feature flag's presence.
+
+## Tradeoffs
+
+Homeservers may have to set up MSISDN/email support to their implementations. This is believed
+to be of minimal risk compared to allowing the identity server to continue being involved
+with password reset/registration.
+
+## Security considerations
+
+The identity server was previously involved with affairs only the homeserver cares about.
+This is no longer the case.

pyproject.toml

@@ -1,9 +1,9 @@
-[ tool.giles ]
+[ tool.gilesbot ]
 
-  [ tool.giles.circleci_artifacts.docs ]
+  [ tool.gilesbot.circleci_artifacts.docs ]
     url = "gen/index.html"
     message = "Click details to preview the HTML documentation."
 
-  [ tool.giles.circleci_artifacts.swagger ]
+  [ tool.gilesbot.circleci_artifacts.swagger ]
     url = "client-server/index.html"
     message = "Click to preview the swagger build."