archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
dbkr/msc4178
release/v1.11
tulir/msc4142
release/v1.10
travis/msc2702-msc2701
rav/ref_objects_in_params
dkasak/foldable-sidebar
travis/knock-join
release/v1.9
release/v1.8
anoa/update_docsy
anoa/nix_flake
dbkr/3077-multi-stream-voip
release/v1.7
dbkr/2746-reliable-voip
rav/links_for_object_defs
release/v1.6
release/v1.5
release/v1.4
anoa/invite_knock_room_state
release/v1.3
push_gateway/r0.1.0
r0.0.0
0.2.0
application_service/r0.1.0
application_service/r0.1.1
application_service/r0.1.2
client-server/0.3.0
client-server/r0.1.0
client-server/r0.2.0
client-server/r0.3.0
client_server/r0.4.0
client_server/r0.5.0
client_server/r0.6.0
client_server/r0.6.1
identity_service/r0.1.0
identity_service/r0.2.0
identity_service/r0.2.1
identity_service/r0.3.0
push_gateway/r0.1.1
r0.0.1
server_server/r0.1.0
server_server/r0.1.1
server_server/r0.1.2
server_server/r0.1.3
server_server/r0.1.4
v1.1
v1.10
v1.11
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cb7bbf3787'
${ noResults }
matrix-spec/proposals/2778-appservice-login.md

4.5 KiB
Raw Blame History

MSC2778: Providing authentication method for appservice users

Appservices within Matrix are increasingly attempting to support End-to-End Encryption. As such, they need a way to generate devices for their users so that they can participate in E2E rooms. In order to do so, this proposal suggests implementing an appservice extension to the POST /login endpoint.

Appservice users do not usually need to login as they do not need their own access token, and do not traditionally need a "device". However, E2E encryption demands that at least one user in a room has a Matrix device which means bridge users need to be able to generate a device on demand. In the past, bridge developers have used the bridge bot's device for all bridge users in the room, but this causes problems should the bridge wish to only join ghosts to a room (e.g. for DMs).

Another advantage this provides is that an appservice can now be used to generate access tokens for any user in it's namespace without having to set a password for that user, which may be useful in the case of software where maintaining password(s) in the configuration is undesirable.

Proposal

A new type is to be added to POST /login.

m.login.application_service

The /login endpoint may now take an access_token in the same way that other authenticated endpoints do. No additional parameters should be specified in the request body.

Example request

{
  "type": "m.login.application_service",
  "identifier": {
    "type": "m.id.user",
    "user": "_bridge_alice"
  }
}

Note: Implementations MUST use the identifier.type=m.id.user method of specifying the localpart. The deprecated top-level user field cannot use this login flow type. This is deliberate so as to coax developers into using the new identifier format when implementing new flows.

The response body should be unchanged from the existing /login specification.

If:

  • The access token is not provided
  • The access token does not correspond to a appservice
  • The access token does not correspond to a appservice that manages this user
  • Or the user has not previously been registered

Then the servers should reject with HTTP 403, with an errcode of "M_FORBIDDEN".

Homeservers should ignore the access_token parameter if a type other than m.login.application_service has been provided.

The expected flow for appservices would be to /register their users, and then /login to generate the appropriate device.

Potential issues

This proposal means that there will be more calls to make when setting up a appservice user, when using encryption. While this could be done during the registration step, this would prohibit creating new devices should the appservice intentionally or inadvertently lost the client-side device data.

Alternatives

One minor tweak to the current proposal could be to include the token as part of the auth data, rather than being part of the header/params to the request. An argument could be made for either, but since the specification expects the appservice to pass the token this way in all requests, including /register, it seems wise to keep it that way.

Some community members have used implementation details such as a "shared secret" authentication method to log into the accounts without having to use the /login process at all. Synapse provides such a function, but also means the appservice can now authenticate as any user on the homeserver. This seems undesirable from a security standpoint.

A third option could be to create a new endpoint that simply creates a new device for an appservice user on demand. Given the rest of the matrix eco-system does this with /login, and /login is already extensible with type, it would create more work for all parties involved for little benefit.

Security considerations

None

Unstable prefix

Implementations should use uk.half-shot.msc2778.login.application_service for type given in the POST /login until this lands in a released version of the specification.

Implementations

The proposal has been implemented by a homeserver, a bridge SDK and two bridges: