archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Be clear that any 3PID token request can now be done by the hs

Browse Source
pull/977/head
Andrew Morgan 6 years ago
parent 9000247008
commit 3e23dde341
1 changed files with 17 additions and 11 deletions
Show Stats Download Patch File Download Diff File

28
proposals/2078-homeserver-password-resets.md
Unescape Escape View File

@ -1,16 +1,22 @@
# MSC2078 - Sending Password Reset Emails via the Homeserver # MSC2078 - Sending Third-Party Request Tokens via the Homeserver
This MSC proposes removing the current requirement of the identity server to This MSC proposes removing the current requirement of the identity server to
send password reset tokens, and allows homeservers to implement the send third-party request tokens, and allows homeservers to implement the
functionality instead. The intention is to put less trust in the identity functionality instead. These request tokens are used to verify the identity of
server which is currently one of the most centralised components of Matrix. As the request auther as an owner of the third-party identity (3PID). This can be
it stands, an attacker in control of a identity server can reset a user's used for binding a 3PID to an account, or for resetting passwords via email or
password if the identity server is considered trusted by that homeserver, and SMS. The latter is what this proposal mainly focuses on, but be aware that it
the user has registered at least one third-party identifier (3PID). This is due allows for any task that requires requesting a token through a 3PID to be
to the identity server currently handling the job of confirming the user's taken on by the homeserver instead of the identity server.
control of that identity.
The intention is to put less trust in the identity server, which is currently
The MSC aims to simply clarify that homeservers can take on the responisibility one of the most centralised components of Matrix. As it stands, an attacker in
control of a identity server can reset a user's password if the identity server
is considered trusted by that homeserver, and the user has registered at least
one 3PID. This is due to the identity server currently handling the job of
confirming the user's control of that identity.
The MSC aims to simply clarify that homeservers can take on the responsibility
of sending password reset tokens themselves. of sending password reset tokens themselves.
## Proposal ## Proposal

Write Preview
Loading…
Cancel
Save