Remove `m.login.token` and `m.login.oauth2` UIA types

AFAIK these have never been implemented. oauth2 lacks enough info to be
sensibly implemented, and `m.login.token` just doesn't make sense.
pull/977/head
Richard van der Hoff 5 years ago
parent f632f4a20f
commit 7c6636a520

@ -431,13 +431,12 @@ User-Interactive Authentication API
Overview Overview
<<<<<<<< <<<<<<<<
Some API endpoints require authentication that Some API endpoints require authentication that interacts with the user. The
interacts with the user. The homeserver may provide many different ways of homeserver may provide many different ways of authenticating, such as
authenticating, such as user/password auth, login via a social network (OAuth2), user/password auth, login via a single-sign-on server (SSO), etc. This
login by confirming a token sent to their email address, etc. This specification specification does not define how homeservers should authorise their users but
does not define how homeservers should authorise their users but instead instead defines the standard interface which implementations should follow so
defines the standard interface which implementations should follow so that ANY that ANY client can login to ANY homeserver.
client can login to ANY homeserver.
The process takes the form of one or more 'stages'. At each stage the client The process takes the form of one or more 'stages'. At each stage the client
submits a set of data for a given authentication type and awaits a response submits a set of data for a given authentication type and awaits a response
@ -663,11 +662,9 @@ Authentication types
This specification defines the following auth types: This specification defines the following auth types:
- ``m.login.password`` - ``m.login.password``
- ``m.login.recaptcha`` - ``m.login.recaptcha``
- ``m.login.oauth2``
- ``m.login.sso`` - ``m.login.sso``
- ``m.login.email.identity`` - ``m.login.email.identity``
- ``m.login.msisdn`` - ``m.login.msisdn``
- ``m.login.token``
- ``m.login.dummy`` - ``m.login.dummy``
Password-based Password-based
@ -744,66 +741,6 @@ To use this authentication type, clients should submit an auth dict as follows:
"session": "<session ID>" "session": "<session ID>"
} }
Token-based
<<<<<<<<<<<
:Type:
``m.login.token``
:Description:
The client submits a login token.
To use this authentication type, clients should submit an auth dict as follows:
.. code:: json
{
"type": "m.login.token",
"token": "<token>",
"txn_id": "<client generated nonce>",
"session": "<session ID>"
}
A client may receive a login ``token`` via some external service, such as email
or SMS. Note that a login token is separate from an access token, the latter
providing general authentication to various API endpoints.
Additionally, the server must encode the user ID in the ``token``; there is
therefore no need for the client to submit a separate username.
The ``txn_id`` should be a random string generated by the client for the
request. The same ``txn_id`` should be used if retrying the request. The
``txn_id`` may be used by the server to disallow other devices from using the
token, thus providing "single use" tokens while still allowing the device to
retry the request. This would be done by tying the token to the ``txn_id``
server side, as well as potentially invalidating the token completely once the
device has successfully logged in (e.g. when we receive a request from the
newly provisioned access_token).
OAuth2-based
<<<<<<<<<<<<
:Type:
``m.login.oauth2``
:Description:
Authentication is supported via OAuth2 URLs. This login consists of multiple
requests.
:Parameters:
``uri``: Authorization Request URI OR service selection URI. Both contain an
encoded ``redirect URI``.
The homeserver acts as a 'confidential' client for the purposes of OAuth2. If
the uri is a ``service selection URI``, it MUST point to a webpage which prompts
the user to choose which service to authorize with. On selection of a service,
this MUST link through to an ``Authorization Request URI``. If there is only one
service which the homeserver accepts when logging in, this indirection can be
skipped and the "uri" key can be the ``Authorization Request URI``.
The client then visits the ``Authorization Request URI``, which then shows the
OAuth2 Allow/Deny prompt. Hitting 'Allow' redirects to the ``redirect URI`` with
the auth code. Homeservers can choose any path for the ``redirect URI``. Once
the OAuth flow has completed, the client retries the request with the session
only, as above.
Single Sign-On Single Sign-On
<<<<<<<<<<<<<< <<<<<<<<<<<<<<
:Type: :Type:

Loading…
Cancel
Save