Use auth header instead of query param for hs->as comms (#1200)

* Use auth header instead of query param for hs->as comms

MSC: https://github.com/matrix-org/matrix-spec-proposals/pull/2832

* Fix for OpenAPI 2
pull/1205/head
Travis Ralston 2 years ago committed by GitHub
parent ef384f1afd
commit 6dc7b95e18
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1 @@
Replace homeserver authorization approach with an `Authorization` header instead of `access_token` when talking to the application service, as per [MSC2832](https://github.com/matrix-org/matrix-spec-proposals/pull/2832).

@ -127,11 +127,27 @@ this.
#### Authorization #### Authorization
Homeservers MUST include a query parameter named `access_token` {{% changed-in v="1.4" %}}
containing the `hs_token` from the application service's registration
when making requests to the application service. Application services Homeservers MUST include an `Authorization` header, containing the `hs_token`
MUST verify the provided `access_token` matches their known `hs_token`, from the application service's registration, when making requests to the
failing the request with an `M_FORBIDDEN` error if it does not match. application service. Application services MUST verify that the provided
`Bearer` token matches their known `hs_token`, failing the request with
an `M_FORBIDDEN` error if it does not match.
The format of the `Authorization` header is similar to the [Client-Server API](/client-server-api/#client-authentication):
`Bearer TheHSTokenGoesHere`.
{{% boxes/note %}}
In previous versions of this specification, an `access_token` query
parameter was used instead. Servers should only send this query parameter
if supporting legacy versions of the specification.
If sending the `query_string`, it is encouraged to send it alongside
the `Authorization` header for maximum compatibility.
Application services should ensure both match if both are provided.
{{% /boxes/note %}}
#### Legacy routes #### Legacy routes

@ -1,4 +1,5 @@
# Copyright 2018 New Vector Ltd # Copyright 2018 New Vector Ltd
# Copyright 2022 The Matrix.org Foundation C.I.C.
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License. # you may not use this file except in compliance with the License.
@ -13,6 +14,6 @@
# limitations under the License. # limitations under the License.
homeserverAccessToken: homeserverAccessToken:
type: apiKey type: apiKey
description: The `hs_token` provided by the application service's registration. name: Authorization
name: access_token in: header
in: query description: The `Bearer` `hs_token` provided by the application service's registration.

Loading…
Cancel
Save