archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
release/v1.12
dbkr/msc4178
release/v1.11
tulir/msc4142
release/v1.10
travis/msc2702-msc2701
rav/ref_objects_in_params
dkasak/foldable-sidebar
travis/knock-join
release/v1.9
release/v1.8
anoa/update_docsy
anoa/nix_flake
dbkr/3077-multi-stream-voip
release/v1.7
dbkr/2746-reliable-voip
rav/links_for_object_defs
release/v1.6
release/v1.5
release/v1.4
anoa/invite_knock_room_state
release/v1.3
push_gateway/r0.1.0
r0.0.0
0.2.0
application_service/r0.1.0
application_service/r0.1.1
application_service/r0.1.2
client-server/0.3.0
client-server/r0.1.0
client-server/r0.2.0
client-server/r0.3.0
client_server/r0.4.0
client_server/r0.5.0
client_server/r0.6.0
client_server/r0.6.1
identity_service/r0.1.0
identity_service/r0.2.0
identity_service/r0.2.1
identity_service/r0.3.0
push_gateway/r0.1.1
r0.0.1
server_server/r0.1.0
server_server/r0.1.1
server_server/r0.1.2
server_server/r0.1.3
server_server/r0.1.4
v1.1
v1.10
v1.11
v1.12
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e32d9a9af3'
${ noResults }
matrix-spec/proposals/2611-remove-login-auth-type.md

2.0 KiB
Raw Blame History

MSC2611: Remove m.login.token User-Interactive Authentication type from the specification

The client-server API specification defines a number of "authentication types" for use with the User-Interactive Authentication protocol.

Of these, m.login.token is unused and confusing. This MSC proposes removing it.

Proposal

The definition of token-based authentication is unclear about how this authentication type should be used. It suggests "via some external service, such as email or SMS", but in practice those validation mechanisms have their own token-submission mechanisms (for example, the submit_url field of the responses from /account/password/email/requestToken and /account/password/msisdn/requestToken respectively). Additionally, the specification requires that "the server must encode the user ID in the token", which seems at odds with any token which can be sent to a user over SMS.

Additional confusion stems from the presence of an m.login.token login type, which is used quite differently: it forms part of the single-sign-on login flow. For clarity: this proposal does not suggest making any changes to the m.login.token login type.

In practice, we are not aware of any implementations of the m.login.token authentication type, and the inconsistency adds unnecessary confusion to the specification.

Potential Issues

It's possible that somebody has found a use for this mechanism. However, that would necessarily entail some custom development of clients and servers, so is not materially affected by the removal from the specification.