From dcae88c29011e8e1a4349137b42a6b63181b5385 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Tue, 7 Aug 2018 22:13:21 -0600
Subject: [PATCH] Document OpenID in the server-server API

Part of https://github.com/matrix-org/matrix-doc/issues/857

Reference: https://github.com/matrix-org/synapse/blob/d69decd5c78c72abef50b597a689e2bc55a39702/synapse/federation/transport/server.py#L543-L557
---
 api/server-server/openid.yaml       | 63 +++++++++++++++++++++++++++++
 specification/server_server_api.rst | 12 ++++++
 2 files changed, 75 insertions(+)
 create mode 100644 api/server-server/openid.yaml

diff --git a/api/server-server/openid.yaml b/api/server-server/openid.yaml
new file mode 100644
index 00000000..0eac48c8
--- /dev/null
+++ b/api/server-server/openid.yaml
@@ -0,0 +1,63 @@
+# Copyright 2017 Kamax.io
+# Copyright 2018 New Vector Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+swagger: '2.0'
+info:
+  title: "Matrix Federation OpenID API"
+  version: "1.0.0"
+host: localhost:8448
+schemes:
+  - https
+basePath: /_matrix/federation/v1
+produces:
+  - application/json
+paths:
+  "/openid/userinfo":
+    get:
+      summary: Exchange an OpenID token for user information
+      description: |-
+        Exchanges an OpenID access token for information about the user
+        who generated the token. Currently this only exposes the Matrix
+        User ID of the owner.
+      operationId: exchangeOpenIdToken
+      parameters:
+        - in: path
+          name: access_token
+          type: string
+          description: |-
+            The OpenID access token to get information about the owner for.
+          required: true
+          x-example: SomeT0kenHere
+      responses:
+        200:
+          description: |-
+            Information about the user who generated the OpenID access token.
+          schema:
+            type: object
+            properties:
+              sub:
+                type: string
+                description: The Matrix User ID who generated the token.
+                example: "@alice:example.com"
+            required: ['sub']
+        401:
+          description: The token was not recognized or has expired.
+          schema:
+            $ref: "../client-server/definitions/errors/error.yaml"
+          examples:
+            application/json: {
+              "errcode": "M_UNKNOWN_TOKEN",
+              "error": "Access token unknown or expired"
+            }
diff --git a/specification/server_server_api.rst b/specification/server_server_api.rst
index 84a76639..e6fc8936 100644
--- a/specification/server_server_api.rst
+++ b/specification/server_server_api.rst
@@ -995,6 +995,18 @@ that can be made.
 
 {{query_ss_http_api}}
 
+OpenID
+------
+
+Third party services can exchange an access token previously generated by the 
+`Client-Server API` for information about a user. This can help verify that a
+user is who they say they are without granting full access to the user's account.
+
+Access tokens generated by the OpenID API are only good for the OpenID API and 
+nothing else.
+
+{{openid_ss_http_api}}
+
 Send-to-device messaging
 ------------------------