archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
release/v1.12
dbkr/msc4178
release/v1.11
tulir/msc4142
release/v1.10
travis/msc2702-msc2701
rav/ref_objects_in_params
dkasak/foldable-sidebar
travis/knock-join
release/v1.9
release/v1.8
anoa/update_docsy
anoa/nix_flake
dbkr/3077-multi-stream-voip
release/v1.7
dbkr/2746-reliable-voip
rav/links_for_object_defs
release/v1.6
release/v1.5
release/v1.4
anoa/invite_knock_room_state
release/v1.3
push_gateway/r0.1.0
r0.0.0
0.2.0
application_service/r0.1.0
application_service/r0.1.1
application_service/r0.1.2
client-server/0.3.0
client-server/r0.1.0
client-server/r0.2.0
client-server/r0.3.0
client_server/r0.4.0
client_server/r0.5.0
client_server/r0.6.0
client_server/r0.6.1
identity_service/r0.1.0
identity_service/r0.2.0
identity_service/r0.2.1
identity_service/r0.3.0
push_gateway/r0.1.1
r0.0.1
server_server/r0.1.0
server_server/r0.1.1
server_server/r0.1.2
server_server/r0.1.3
server_server/r0.1.4
v1.1
v1.10
v1.11
v1.12
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e32d9a9af3'
${ noResults }
matrix-spec/proposals/2610-remove-oauth2-auth-typ...

1.6 KiB
Raw Blame History

MSC2610: Remove m.login.oauth2 User-Interactive Authentication type from the specification

The client-server API specification defines a number of "authentication types" for use with the User-Interactive Authentication protocol.

Of these, m.login.oauth2 is underspecified and of no real use. This MSC proposes removing them.

Proposal

The definition of OAuth2-based authentication is incomplete. OAuth2 is best considered as a framework for implementing authentication protocols rather than a protocol in its own right, and this section says nothing about the grant types, flows and scopes which a compliant implementation should understand.

A better candidate for OAuth2-based authentication of matrix clients is via OpenID Connect, but this has already been implemented in Matrix via the m.login.sso authentication type.

The m.login.oauth2 section is therefore unimplementable in its current form, and redundant. It should be removed from the specification to reduce confusion.

Alternatives

It would be possible to extend the definition so that it is complete: as mentioned above, a likely implementation would be based on OpenID Connect. Matrix clients could then follow the standardised OpenID Connect flow rather than the matrix-specific m.login.sso flow. However, this would require significant design work, and development in both clients and servers, which currently feels hard to justify when a working solution exists via m.login.sso.