Final tweaks for the OAuth 2.0 API (#2164)

* Clarify that SSO login applies to the legacy authentication API Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> * Do not point to specific authentication API for obtaining access token Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> * Add warnings about incompatibility with OAuth 2.0 to endpoints that use UIA Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> * Add changelog Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> * Add note about API standards not applying to OAuth 2.0 Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> * Apply suggestions from code review --------- Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr> Co-authored-by: Travis Ralston <travpc@gmail.com>
5 months ago · 1c06ed9cf7
parent 6353b46add
commit 1c06ed9cf7
7 changed files with 41 additions and 13 deletions
--- a/changelogs/client_server/newsfragments/2164.feature
+++ b/changelogs/client_server/newsfragments/2164.feature
@ -0,0 +1 @@
 Add the OAuth 2.0 based authentication API, as per [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) and its sub-proposals.
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@ -12,6 +12,12 @@ clients which maintain a full local persistent copy of server state.
 ## API Standards
 {{% boxes/note %}}
 These standards only apply to the APIs defined in the Matrix specification. APIs
 used by this specification but defined in other specifications, like the [OAuth
 2.0 API](#oauth-20-api), use their own rules.
 {{% /boxes/note %}}
 The mandatory baseline for client-server communication in Matrix is
 exchanging JSON objects over HTTP APIs. More efficient transports may be
 specified in future as optional extensions.
--- a/content/client-server-api/modules/sso_login.md
+++ b/content/client-server-api/modules/sso_login.md
@ -6,9 +6,10 @@ allow users to log into applications via a single web-based
 authentication portal. Examples include OpenID Connect, "Central
 Authentication Service" (CAS) and SAML.
-This module allows a Matrix homeserver to delegate user authentication
+This module allows a Matrix homeserver that supports the [legacy authentication
-to an external authentication server supporting one of these protocols.
+API](#legacy-api) to delegate user authentication to an external authentication
-In this process, there are three systems involved:
+server supporting one of these protocols. In this process, there are three
 systems involved:
 -   A Matrix client, using the APIs defined in this specification, which
    is seeking to authenticate a user to a Matrix homeserver.
@ -24,7 +25,7 @@ used to communicate with the authentication server. Different Matrix
 homeserver implementations might support different SSO protocols.
 Clients and homeservers implementing the SSO flow will need to consider
-both [login](#login) and [user-interactive authentication](#user-interactive-authentication-api). The flow is
+both [login](#legacy-login) and [user-interactive authentication](#user-interactive-authentication-api). The flow is
 similar in both cases, but there are slight differences.
 Typically, SSO systems require a single "callback" URI to be configured
--- a/data/api/client-server/administrative_contact.yaml
+++ b/data/api/client-server/administrative_contact.yaml
@ -201,6 +201,11 @@ paths:
        Homeservers should prevent the caller from adding a 3PID to their account if it has
        already been added to another user's account on the homeserver.
        {{% boxes/warning %}}
        Since this endpoint uses User-Interactive Authentication, it cannot be used when the access token was obtained
        via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
        {{% /boxes/warning %}}
      operationId: add3PID
      security:
        - accessTokenQuery: []
--- a/data/api/client-server/cross_signing.yaml
+++ b/data/api/client-server/cross_signing.yaml
@ -26,7 +26,7 @@ paths:
        Publishes cross-signing keys for the user.
        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).
-        
+
        User-Interactive Authentication MUST be performed, except in these cases:
        - there is no existing cross-signing master key uploaded to the homeserver, OR
        - there is an existing cross-signing master key and it exactly matches the
@ -34,11 +34,16 @@ paths:
          keys provided in the request (self-signing key, user-signing key) they MUST also
          match the existing keys stored on the server. In other words, the request contains
          no new keys.
-        
+
        This allows clients to freely upload one set of keys, but not modify/overwrite keys if
-        they already exist. Allowing clients to upload the same set of keys more than once 
+        they already exist. Allowing clients to upload the same set of keys more than once
        makes this endpoint idempotent in the case where the response is lost over the network,
        which would otherwise cause a UIA challenge upon retry.
        {{% boxes/warning %}}
        When this endpoint requires User-Interactive Authentication, it cannot be used when the access token was obtained
        via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
        {{% /boxes/warning %}}
      operationId: uploadCrossSigningKeys
      security:
        - accessTokenQuery: []
--- a/data/api/client-server/definitions/security.yaml
+++ b/data/api/client-server/definitions/security.yaml
@ -14,8 +14,8 @@
 accessTokenQuery:
  type: apiKey
  description: |-
-    **Deprecated.** The `access_token` returned by a call to `/login` or `/register`, as a query
+    **Deprecated.** The `access_token` obtained during [account registration](/client-server-api/#account-registration)
-    parameter.
+    or [login](/client-server-api/#login), as a query parameter.
    It can also be the `as_token` of an application service.
  name: access_token
@ -23,11 +23,11 @@ accessTokenQuery:
 accessTokenBearer:
  type: http
  description: |-
-    The `access_token` returned by a call to `/login` or `/register`, using the
+    The `access_token` obtained during [account registration](/client-server-api/#account-registration)
-    `Authorization: Bearer` header.
+    or [login](/client-server-api/#login), using the `Authorization: Bearer` header.
    It can also be the `as_token` of an application service.
-    
+
    This is the preferred method.
  scheme: bearer
 appserviceAccessTokenQuery:
@ -42,6 +42,6 @@ appserviceAccessTokenBearer:
  description: |-
    The `as_token` of an application service, using the `Authorization: Bearer`
    header.
-    
+
    This is the preferred method.
  scheme: bearer
--- a/data/api/client-server/device_management.yaml
+++ b/data/api/client-server/device_management.yaml
@ -137,6 +137,11 @@ paths:
        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).
        Deletes the given device, and invalidates any access token associated with it.
        {{% boxes/warning %}}
        Since this endpoint uses User-Interactive Authentication, it cannot be used when the access token was obtained
        via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
        {{% /boxes/warning %}}
      operationId: deleteDevice
      security:
        - accessTokenQuery: []
@ -189,6 +194,11 @@ paths:
        This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).
        Deletes the given devices, and invalidates any access token associated with them.
        {{% boxes/warning %}}
        Since this endpoint uses User-Interactive Authentication, it cannot be used when the access token was obtained
        via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
        {{% /boxes/warning %}}
      operationId: deleteDevices
      security:
        - accessTokenQuery: []
		`@ -0,0 +1 @@`
							`Add the OAuth 2.0 based authentication API, as per [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) and its sub-proposals.`