archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge 6e7c8a6da0 into 2cc7e13c09

Browse Source
Kévin Commaille 1 week ago committed by GitHub
parent 2cc7e13c09 6e7c8a6da0
commit 60e64d8082
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 85 additions and 1 deletions
Show Stats Download Patch File Download Diff File

1
changelogs/client_server/newsfragments/2270.feature
Unescape Escape View File

@ -0,0 +1 @@
Add the account management capabilities for the OAuth 2.0 authentication API, as per [MSC4191](https://github.com/matrix-org/matrix-spec-proposals/pull/4191).

50
content/client-server-api/_index.md
Unescape Escape View File

@ -645,7 +645,7 @@ manage their account like [changing their password](#password-management),
[deactivating their account](#account-deactivation).
With the OAuth 2.0 API, all account management is done via the homeserver's web
UI.
UI that can be accessed by users via the [account management URL](#oauth-20-account-management).
### Legacy API
@ -2271,6 +2271,54 @@ The server SHOULD return one of the following responses:
- For other errors, the server returns a `400 Bad Request` response with error
details
#### Account management {id="oauth-20-account-management"}
{{% added-in v="1.18" %}}
All account management is done via the homeserver's web UI.
This specification defines extensions to the [OAuth Authorization Server
Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata)
to offer clients a way to deep-link to the account management capabilities of
the homeserver to allow the user to complete the account management operations
in a browser.
##### Account management URL discovery
The [OAuth 2.0 authorization server metadata](#server-metadata-discovery) is
extended to include the following fields:
| Field | Description |
|----------------------------------------|-------------------------------------------------------------------------------------------------|
| `account_management_uri` | The URL where the user is able to access the account management capabilities of the homeserver. |
| `account_management_actions_supported` | An array of actions that the account management URL supports, as defined below. |
##### Account management URL parameters
The account management URL MAY accept the following query parameters:
| Parameter | Description |
|-------------|---------------------------------------------------------------------------------------------------------------------------------------|
| `action` | **Optional**. The action that the user wishes to take. Must match one of the actions in `account_management_actions_supported` above. |
| `device_id` | **Optional**. Identifies a particular Matrix device ID for actions that support it. |
If the `org.matrix.device_view` or `org.matrix.device_delete` actions are
advertised as supported by the server then the server SHOULD support the
`device_id` parameter.
##### Account management URL actions
The following account management actions are defined:
| Action | Description |
|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
| `org.matrix.profile` | The user wishes to view/edit their profile (name, avatar, contact details). |
| `org.matrix.devices_list` | The user wishes to view a list of their devices. |
| `org.matrix.device_view` | The user wishes to view the details of a specific device. A `device_id` SHOULD be provided. |
| `org.matrix.device_delete` | The user wishes to delete/log out a specific device. A `device_id` SHOULD be provided. |
| `org.matrix.account_deactivate` | The user wishes to deactivate their account. |
| `org.matrix.cross_signing_reset` | The user wishes to reset their cross-signing identity. Servers SHOULD use this action in the URL of the [`m.oauth`](#oauth-authentication) UIA type. |
### Account moderation
#### Account locking

35
data/api/client-server/oauth_server_metadata.yaml
Unescape Escape View File

@ -139,6 +139,32 @@ paths:
items:
type: string
description: A prompt value that the server supports.
account_management_uri:
x-addedInMatrixVersion: "1.18"
type: string
format: uri
description: |-
The URL where the user is able to access the account management capabilities
of the homeserver.
This is an extension [defined in this specification](/client-server-api/#oauth-20-account-management).
account_management_actions_supported:
x-addedInMatrixVersion: "1.18"
type: array
description: |-
List of actions that the account management URL supports.
This is an extension [defined in this specification](/client-server-api/#oauth-20-account-management).
items:
type: string
enum:
- "org.matrix.profile"
- "org.matrix.devices_list"
- "org.matrix.device_view"
- "org.matrix.device_delete"
- "org.matrix.account_deactivate"
- "org.matrix.cross_signing_reset"
description: An action that the account management URL supports.
required:
- issuer
- authorization_endpoint
@ -159,6 +185,15 @@ paths:
"grant_types_supported": ["authorization_code", "refresh_token"],
"response_modes_supported": ["query", "fragment"],
"code_challenge_methods_supported": ["S256"],
"account_management_uri": "https://account.example.com/manage",
"account_management_actions_supported": [
"org.matrix.profile",
"org.matrix.devices_list",
"org.matrix.device_view",
"org.matrix.device_delete",
"org.matrix.account_deactivate",
"org.matrix.cross_signing_reset",
],
}
tags:
- Session management

Write Preview
Loading…
Cancel
Save