Deprecate authentication via a query string (#1808)

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
pull/1801/head
Kévin Commaille 7 months ago committed by GitHub
parent ae70b5fcf3
commit 625999a039
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

@ -0,0 +1 @@
Deprecate authentication via a query string, as per [MSC4126](https://github.com/matrix-org/matrix-spec-proposals/issues/4126).

@ -0,0 +1 @@
Deprecate authentication via a query string, as per [MSC4126](https://github.com/matrix-org/matrix-spec-proposals/issues/4126).

@ -390,8 +390,7 @@ specify parameter values. The flow for this method is as follows:
## Client Authentication
Most API endpoints require the user to identify themselves by presenting
previously obtained credentials in the form of an `access_token` query
parameter or through an Authorization Header of `Bearer $access_token`.
previously obtained credentials in the form of an access token.
An access token is typically obtained via the [Login](#login) or
[Registration](#account-registration-and-management) processes. Access tokens
can expire; a new access token can be generated by using a refresh token.
@ -405,16 +404,19 @@ investigate [macaroons](http://research.google.com/pubs/pub41892.html).
### Using access tokens
Access tokens may be provided in two ways, both of which the homeserver
MUST support:
Access tokens may be provided via a request header, using the Authentication
Bearer scheme: `Authorization: Bearer TheTokenHere`.
1. Via a query string parameter, `access_token=TheTokenHere`.
2. Via a request header, `Authorization: Bearer TheTokenHere`.
Clients may alternatively provide the access token via a query string parameter:
`access_token=TheTokenHere`. This method is deprecated to prevent the access
token being leaked in access/HTTP logs and SHOULD NOT be used by clients.
Clients are encouraged to use the `Authorization` header where possible
to prevent the access token being leaked in access/HTTP logs. The query
string should only be used in cases where the `Authorization` header is
inaccessible for the client.
Homeservers MUST support both methods.
{{% boxes/note %}}
{{% changed-in v="1.11" %}}
Sending the access token as a query string parameter is now deprecated.
{{% /boxes/note %}}
When credentials are required but missing or invalid, the HTTP call will
return with a status of 401 and the error code, `M_MISSING_TOKEN` or

@ -162,15 +162,20 @@ of access tokens to authenticate users. The access tokens provided by an
Identity Server cannot be used to authenticate Client-Server API
requests.
An access token is provided to an endpoint in one of two ways:
Access tokens may be provided via a request header, using the
Authentication Bearer scheme: `Authorization: Bearer TheTokenHere`.
1. Via a query string parameter, `access_token=TheTokenHere`.
2. Via a request header, `Authorization: Bearer TheTokenHere`.
Clients may alternatively provide the access token via a query string
parameter: `access_token=TheTokenHere`. This method is deprecated to
prevent the access token being leaked in access/HTTP logs and SHOULD NOT
be used by clients.
Clients are encouraged to the use the `Authorization` header where
possible to prevent the access token being leaked in access/HTTP logs.
The query string should only be used in cases where the `Authorization`
header is inaccessible for the client.
Identity Servers MUST support both methods.
{{% boxes/note %}}
{{% changed-in v="1.11" %}}
Sending the access token as a query string parameter is now deprecated.
{{% /boxes/note %}}
When credentials are required but missing or invalid, the HTTP call will
return with a status of 401 and the error code `M_UNAUTHORIZED`.

@ -14,7 +14,7 @@
accessTokenQuery:
type: apiKey
description: |-
The `access_token` returned by a call to `/login` or `/register`, as a query
**Deprecated.** The `access_token` returned by a call to `/login` or `/register`, as a query
parameter.
It can also be the `as_token` of an application service.
@ -33,7 +33,8 @@ accessTokenBearer:
appserviceAccessTokenQuery:
type: apiKey
description: |-
The `as_token` of an application service, as a query parameter.
**Deprecated.** The `as_token` of an application service, as a query
parameter.
name: access_token
in: query
appserviceAccessTokenBearer:

@ -14,7 +14,8 @@
accessTokenQuery:
type: apiKey
description: |-
The `access_token` returned by a call to `/register`, as a query parameter.
**Deprecated.** The `access_token` returned by a call to `/register`, as a
query parameter.
name: access_token
in: query
accessTokenBearer:

Loading…
Cancel
Save