Merge pull request #2609 from matrix-org/rav/remove_oauth2

Remove `m.login.token` and `m.login.oauth2` UIA types
pull/977/head
Travis Ralston 4 years ago committed by GitHub
commit 012f0b1882
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1 @@
Remove unimplemented ``m.login.oauth2`` and ``m.login.token`` user-interactive authentication mechanisms.

@ -433,13 +433,12 @@ User-Interactive Authentication API
Overview Overview
<<<<<<<< <<<<<<<<
Some API endpoints require authentication that Some API endpoints require authentication that interacts with the user. The
interacts with the user. The homeserver may provide many different ways of homeserver may provide many different ways of authenticating, such as
authenticating, such as user/password auth, login via a social network (OAuth2), user/password auth, login via a single-sign-on server (SSO), etc. This
login by confirming a token sent to their email address, etc. This specification specification does not define how homeservers should authorise their users but
does not define how homeservers should authorise their users but instead instead defines the standard interface which implementations should follow so
defines the standard interface which implementations should follow so that ANY that ANY client can login to ANY homeserver.
client can login to ANY homeserver.
The process takes the form of one or more 'stages'. At each stage the client The process takes the form of one or more 'stages'. At each stage the client
submits a set of data for a given authentication type and awaits a response submits a set of data for a given authentication type and awaits a response
@ -665,11 +664,9 @@ Authentication types
This specification defines the following auth types: This specification defines the following auth types:
- ``m.login.password`` - ``m.login.password``
- ``m.login.recaptcha`` - ``m.login.recaptcha``
- ``m.login.oauth2``
- ``m.login.sso`` - ``m.login.sso``
- ``m.login.email.identity`` - ``m.login.email.identity``
- ``m.login.msisdn`` - ``m.login.msisdn``
- ``m.login.token``
- ``m.login.dummy`` - ``m.login.dummy``
Password-based Password-based
@ -746,66 +743,6 @@ To use this authentication type, clients should submit an auth dict as follows:
"session": "<session ID>" "session": "<session ID>"
} }
Token-based
<<<<<<<<<<<
:Type:
``m.login.token``
:Description:
The client submits a login token.
To use this authentication type, clients should submit an auth dict as follows:
.. code:: json
{
"type": "m.login.token",
"token": "<token>",
"txn_id": "<client generated nonce>",
"session": "<session ID>"
}
A client may receive a login ``token`` via some external service, such as email
or SMS. Note that a login token is separate from an access token, the latter
providing general authentication to various API endpoints.
Additionally, the server must encode the user ID in the ``token``; there is
therefore no need for the client to submit a separate username.
The ``txn_id`` should be a random string generated by the client for the
request. The same ``txn_id`` should be used if retrying the request. The
``txn_id`` may be used by the server to disallow other devices from using the
token, thus providing "single use" tokens while still allowing the device to
retry the request. This would be done by tying the token to the ``txn_id``
server side, as well as potentially invalidating the token completely once the
device has successfully logged in (e.g. when we receive a request from the
newly provisioned access_token).
OAuth2-based
<<<<<<<<<<<<
:Type:
``m.login.oauth2``
:Description:
Authentication is supported via OAuth2 URLs. This login consists of multiple
requests.
:Parameters:
``uri``: Authorization Request URI OR service selection URI. Both contain an
encoded ``redirect URI``.
The homeserver acts as a 'confidential' client for the purposes of OAuth2. If
the uri is a ``service selection URI``, it MUST point to a webpage which prompts
the user to choose which service to authorize with. On selection of a service,
this MUST link through to an ``Authorization Request URI``. If there is only one
service which the homeserver accepts when logging in, this indirection can be
skipped and the "uri" key can be the ``Authorization Request URI``.
The client then visits the ``Authorization Request URI``, which then shows the
OAuth2 Allow/Deny prompt. Hitting 'Allow' redirects to the ``redirect URI`` with
the auth code. Homeservers can choose any path for the ``redirect URI``. Once
the OAuth flow has completed, the client retries the request with the session
only, as above.
Single Sign-On Single Sign-On
<<<<<<<<<<<<<< <<<<<<<<<<<<<<
:Type: :Type:

Loading…
Cancel
Save