Reword following widget spec

pull/977/head
Travis Ralston 4 years ago
parent e304109289
commit c9e8326783

@ -1,61 +1,144 @@
# MSC1960: OpenID Connect information exchange for widgets # MSC1960: OpenID Connect information exchange for widgets
With the various integrations API proposals, widgets are left with no options to verify the Widgets are currently left with no options to verify the user's ID, making it hard for
requesting user's ID if they need it. Widgets like the sticker picker must know who is making personalized and authenticated widgets to exist. The spec says the `$matrix_user_id`
the request and as such need a way to get accurate information about who is contacting them. template variable cannot be relied upon due to how easy it is to faslify, which is true.
This proposal introduces a way for widgets (room and account) to do so over the `fromWidget` This MSC aims to solve the problem with verifiably accurate OpenID Connect credentials.
API proposed by [MSC1236](https://github.com/matrix-org/matrix-doc/issues/1236).
As of writing, the best resource to learn more about the widgets spec is the following
spec PR: https://github.com/matrix-org/matrix-doc/pull/2764
## Proposal ## Proposal
Room and account widgets may request new OpenID Connect credentials from the user so they can log in/register with Typically widgets which need to accurately verify the user's identity will also have a
the backing integration manager or other application. This is largely based on the prior art available backend service of some kind. This backend service likely already uses the integration
[here (element-web#7153)](https://github.com/vector-im/element-web/issues/7153). The rationale for such an manager authentication APIs introduced by [MSC1961](https://github.com/matrix-org/matrix-doc/pull/1961).
API is so that widgets can load things like a user's sticker packs or other information without having
to rely on secret strings. For example, a room could be used to let a user create custom sticker packs Through using the same concepts from MSC1961, the widget can verify the user's identity
via a common widget - it would be nice if that widget could auth the user without asking them to enter by requesting a fresh OpenID Connect credential object to pass along to its backend, like
their username and password into an iframe. the integration manager which might be running it.
Widgets can request OpenID Connect credentials from the user by sending a `fromWidget` action of `get_openid` The protocol sequence defined here is based upon the previous discussion in the Element Web
to initiate the token exchange process. The client responds with an acknowledgement of issue tracker: https://github.com/vector-im/element-web/issues/7153
`{"state":"request"}` (or `{"state":"blocked"}` if the client/user doesn't think the widget is safe).
The client then prompts the user if the widget should be allowed to get details about the user, It is proposed that after the capabilities negotation, the widget can ask the client for
optionally providing a way for the user to always accept/deny the widget. If the user agrees, the an OpenID Connect credential object so it can pass it along to its backend for validation.
client sends a `toWidget` action of `openid_credentials` with `data` holding the raw OpenID Connect credentials The request SHOULD result in the user being prompted to confirm that the widget can have
object returned from the homeserver, and a `success: true` parameter, similar to the following: their information. Because of this user interaction, it's not always possible for the user
to complete the approval within the 10 second suggested timeout by the widget spec. As
such, the initial request by the widget can have one of three states:
1. The client indicates that the user is being prompted (to be followed up on).
2. The client sends over credentials for the widget to verify.
3. The client indicates the request was blocked/denied.
The initial request from the widget looks as follows:
```json
{
"api": "fromWidget",
"action": "get_openid",
"requestId": "AAABBB",
"widgetId": "CCCDDD",
"data": {}
}
```
Which then receives a response which has a `state` field alongside potentially the credentials
to be verified. Matching the order of possible responses above, here are examples:
```json
{
"api": "fromWidget",
"action": "get_openid",
"requestId": "AAABBB",
"widgetId": "CCCDDD",
"data": {},
"response": {
"state": "request"
}
}
``` ```
```json
{
"api": "fromWidget",
"action": "get_openid",
"requestId": "AAABBB",
"widgetId": "CCCDDD",
"data": {},
"response": {
"state": "allowed",
"access_token": "s3cr3t",
"token_type": "Bearer",
"matrix_server_name": "example.org",
"expires_in": 3600
}
}
```
```json
{
"api": "fromWidget",
"action": "get_openid",
"requestId": "AAABBB",
"widgetId": "CCCDDD",
"data": {},
"response": {
"state": "blocked"
}
}
```
The credential information is directly copied from the `/_matrix/client/r0/user/:userId/openid/request_token`
response.
In the case of `state: "request"`, the user is being asked to approve the widget's attempt to
verify their identity. To ensure that future requests are quicker, clients are encouraged to
include a "remember this widget" option to make use of the immediate `state: "allowed"` or
`state: "blocked"` responses above.
There is no timeout associated with the user making their selection. Once a user does make
a selection (allow or deny the request), the client sends a `toWidget` request to indicate the
result, using a very similar structure to the above immediate responses:
```json
{ {
"api": "toWidget", "api": "toWidget",
"requestId": "AABBCC",
"action": "openid_credentials", "action": "openid_credentials",
"widgetId": "DDEEFF", "requestId": "EEEFFF",
"widgetId": "CCCDDD",
"data": { "data": {
"success": true, "state": "allowed",
"access_token": "SecretTokenHere", "original_request_id": "AAABBB",
"access_token": "s3cr3t",
"token_type": "Bearer", "token_type": "Bearer",
"matrix_server_name": "example.com", "matrix_server_name": "example.org",
"expires_in": 3600 "expires_in": 3600
} }
} }
``` ```
For clarity, the `data` consists of properties as returned by `/_matrix/client/r0/user/:userId/openid/request_token` ```json
plus the `success` parameter. {
"api": "toWidget",
If the user denies the widget, just `success: false` is returned in the `data` property. "action": "openid_credentials",
"requestId": "EEEFFF",
To lessen the number of requests, a client can also respond to the original `get_openid` request with a "widgetId": "CCCDDD",
`state` of `"allowed"`, `success: true`, and the OpenID Connect credentials object (just like in the `data` for "data": {
`openid_credentials`). "state": "blocked",
"original_request_id": "AAABBB"
}
}
```
The widget should not request OpenID Connect credentials until after it has exchanged capabilities with the client, `original_request_id` is the `requestId` of the `get_openid` request which started the prompt,
however this is not required to wait for the capabiltiies exchange. for the widget's reference.
The widget acknowledges the `openid_credentials` request with an empty response object. The widget acknowledges receipt of the credentials with an empty `response` object.
A successful sequence diagram for this flow is as follows: A typical sequence diagram for this flow is as follows:
``` ```
+-------+ +---------+ +---------+ +-------+ +---------+ +---------+
@ -63,10 +146,10 @@ A successful sequence diagram for this flow is as follows:
+-------+ +---------+ +---------+ +-------+ +---------+ +---------+
| | | | | |
| | Capabilities negotiation | | | Capabilities negotiation |
| |<-----------------------------------------| | |----------------------------------------->|
| | | | | |
| | Capabilities negotiation | | | Capabilities negotiation |
| |----------------------------------------->| | |<-----------------------------------------|
| | | | | |
| | fromWidget get_openid request | | | fromWidget get_openid request |
| |<-----------------------------------------| | |<-----------------------------------------|
@ -89,14 +172,16 @@ A successful sequence diagram for this flow is as follows:
Prior to this proposal, widgets could use an undocumented `scalar_token` parameter if the client chose to Prior to this proposal, widgets could use an undocumented `scalar_token` parameter if the client chose to
send it to the widget. Clients typically chose to send it if the widget's URL matched a whitelist for URLs send it to the widget. Clients typically chose to send it if the widget's URL matched a whitelist for URLs
the client trusts. Widgets are now not able to rely on this behaviour with this proposal, although clients the client trusts. With the widget specification as written, widgets cannot rely on this behaviour.
may wish to still support it until adoption is complete. Widgets may wish to look into cookies and other
storage techniques to avoid continously requesting credentials, regardless of how they got those credentials.
An implementation of this proposal is [here](https://github.com/matrix-org/matrix-react-sdk/pull/2781). Widgets may wish to look into cookies and other storage techniques to avoid continously requesting
credentials. Widgets should also look into [MSC1961](https://github.com/matrix-org/matrix-doc/pull/1961)
for information on how to properly verify the OpenID Connect credentials it will be receiving. The
widget is ultimately responsible for how it deals with the credentials, though the author recommends
handing it off to an integration manager's `/register` endpoint to acquire a single token string
instead.
The widget is left responsible for dealing with the OpenID object it receives, likely handing it off to An implementation of this proposal's early draft is here: https://github.com/matrix-org/matrix-react-sdk/pull/2781
the integration manager it is backed by to exchange it for a long-lived Bearer token.
## Security considerations ## Security considerations

Loading…
Cancel
Save