archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
anoa/endpoint_list_cs_module_groups
anoa/endpoint_list
anoa/endpoint_list_cs_module
main
release/v1.16
release/v1.15
release/1.14
release/v1.13
release/v1.12
release/v1.11
tulir/msc4142
release/v1.10
travis/msc2702-msc2701
rav/ref_objects_in_params
dkasak/foldable-sidebar
travis/knock-join
release/v1.9
release/v1.8
anoa/update_docsy
anoa/nix_flake
dbkr/3077-multi-stream-voip
release/v1.7
dbkr/2746-reliable-voip
rav/links_for_object_defs
release/v1.6
release/v1.5
release/v1.4
anoa/invite_knock_room_state
release/v1.3
push_gateway/r0.1.0
r0.0.0
0.2.0
application_service/r0.1.0
application_service/r0.1.1
application_service/r0.1.2
client-server/0.3.0
client-server/r0.1.0
client-server/r0.2.0
client-server/r0.3.0
client_server/r0.4.0
client_server/r0.5.0
client_server/r0.6.0
client_server/r0.6.1
identity_service/r0.1.0
identity_service/r0.2.0
identity_service/r0.2.1
identity_service/r0.3.0
push_gateway/r0.1.1
r0.0.1
server_server/r0.1.0
server_server/r0.1.1
server_server/r0.1.2
server_server/r0.1.3
server_server/r0.1.4
v1.1
v1.10
v1.11
v1.12
v1.13
v1.14
v1.15
v1.16
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6fa754c447'
${ noResults }
matrix-spec/proposals/1730-cs-api-in-login-respon...

129 lines
5.8 KiB
Markdown
Raw Blame History

# MSC1730: Mechanism for redirecting to an alternative server during login
Complex homeserver deployments may consist of several homeserver instances,
where the HS to be used for a user session is determined at login time. The HS
might be chosen based on any of a number of factors, such as the individual
user, or a simple round-robin to load-balance.
One solution to this is for users to log in via a "portal server", which
accepts the login request, and picks the server accordingly. This proposal
suggests adding a field to the `/login` response which tells clients which
endpoint they should use for the client-server (C-S) API after login.
## Proposal
The response to `POST /_matrix/client/r0/login` currently includes the fields
`user_id`, `access_token`, `device_id`, and the deprecated `home_server`.
We should add to this a `base_cs_url` field, which SHOULD be returned by
compliant homeservers, which gives a base URL for the client-server API.
As with
[.well-known](https://matrix.org/docs/spec/client_server/r0.4.0.html#well-known-uri),
clients would then add `/_matrix/client/...` to this URL to form valid C-S
endpoints.
One way that this could be used is that the portal server proxies the `/login`
request, and passes it on to the target HS, as shown in the sequence diagram below:
![Sequence diagram](images/1730-seq-diagram.svg)
Alternatively, the portal server could redirect the original `login` request to
the target HS with a `307 Temporary Redirect` response:
![Sequence diagram](images/1730-seq-diagram-2.svg)
(Note that the deprecated `home_server` field gives the `server_name` of the
relevant homeserver, which may be quite different to the location of the C-S
API, so is not of use here. Further we cannot repurpose it, because (a) this
might break existing clients; (b) it spells homeserver wrong.)
### Notes on proxying vs redirecting
Proxying the `/login` request as shown in the first sequence diagram above
leads to the following concerns:
* The target homeserver sees the request coming from the portal server rather
than the client, so that the wrong IP address will be recorded against the
user's session. (This might be a problem for, for example, IP locking the
session, and might affect the `last_seen_ip` field returned by `GET
/_matrix/client/r0/devices`.)
This can be mitigated to some extent via the use of an `X-Forwarded-For`
header, but that then requires the portal server to authenticate itself with
the target homeserver in some way.
* It causes additional complexity in the portal server, which must now be
responsible for making outbound HTTP requests.
* It potentially leads to a privacy leak, since the portal server could snoop
on the returned access token. (Given that the portal server must be trusted
to some extent in this architecture, it is unclear how much of a concern this
really is.)
On the other hand, redirecting it with a `307` response may reduce flexibility,
or require more state to be managed on the portal server [1]. Furthermore
support for `307` redirects among user-agents may vary
([RFC2616](https://tools.ietf.org/html/rfc2616#section-10.3.8) said "If the 307
status code is received in response to a request other than GET or HEAD, the
user agent MUST NOT automatically redirect the request unless it can be
confirmed by the user", though this appears to have been dropped by
[RFC7231](https://tools.ietf.org/html/rfc7231#section-6.4.7) and I am unaware
of any current browsers which do not follow `307` redirects.)
In any case, this is an implementation decision; portal servers can use
whichever method best suits their needs.
## Rejected solutions
Alternative solutions might include:
### Proxy all C-S endpoints
It would be possible for the portal to proxy all C-S interaction, as well as
`/login`, directing requests to the right server for the user.
This is unsatisfactory due to the additional latency imposed, the load on the
portal server, and the fact that it makes the portal a single point of failure
for the entire system.
### Perform a .well-known lookup after login
Once clients know the server name of the homeserver they should be using
(having extracted it from the `/login` response), they could perform a
`.well-known` lookup on the target server to locate its C-S API.
This has the advantage of reusing existing mechanisms, but has the following
problems:
* Clients are currently required to do a `.well-known` lookup *before* login,
so that they can find the correct endpoint for the `/login` API. That means
they will have to do *two* `.well-known` lookups - one before and one after
login.
This adds latency and overhead, and complicates client implementations.
* It complicates deployment, since each target server has to support a
`.well-known` lookup. (This is somewhat weak: target servers should
support `.well-known` lookups anyway.)
### Add an alternative redirection mechanism in the login flow
We could specify that the `/login` response could contain a `redirect` field
property instead of the existing `user_id`/`access_token`/`device_id`
properties. The `redirect` property would give the C-S API of the target
HS. The client would then repeat its `/login` request, and use the specified
endpoint for all future C-S interaction.
This approach would complicate client implementations.
[1] The reason more state is needed is as follows: because the portal is now
redirecting the login rather than proxying it, it cannot modify the login
dictionary. This is a problem for the single-sign-on flow, which culminates in
an `m.login.token` login. The only way that the portal can identify a given
user session - and thus know where to redirect to - is via the login token, and
of course, it cannot modify that token without making it invalid for the target
HS. It therefore has to use the login token as a session identifier, and store
session state..
Reference in New Issue View Git Blame Copy Permalink