archive
/
matrix-spec
mirror of https://github.com/matrix-org/matrix-spec
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
tulir/update-signoff-requirements
release/v1.11
tulir/msc4142
release/v1.10
travis/msc2702-msc2701
rav/ref_objects_in_params
dkasak/foldable-sidebar
travis/knock-join
release/v1.9
release/v1.8
anoa/update_docsy
anoa/nix_flake
dbkr/3077-multi-stream-voip
release/v1.7
dbkr/2746-reliable-voip
rav/links_for_object_defs
release/v1.6
release/v1.5
release/v1.4
anoa/invite_knock_room_state
release/v1.3
push_gateway/r0.1.0
r0.0.0
0.2.0
application_service/r0.1.0
application_service/r0.1.1
application_service/r0.1.2
client-server/0.3.0
client-server/r0.1.0
client-server/r0.2.0
client-server/r0.3.0
client_server/r0.4.0
client_server/r0.5.0
client_server/r0.6.0
client_server/r0.6.1
identity_service/r0.1.0
identity_service/r0.2.0
identity_service/r0.2.1
identity_service/r0.3.0
push_gateway/r0.1.1
r0.0.1
server_server/r0.1.0
server_server/r0.1.1
server_server/r0.1.2
server_server/r0.1.3
server_server/r0.1.4
v1.1
v1.10
v1.11
v1.2
v1.3
v1.4
v1.5
v1.6
v1.7
v1.8
v1.9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'f313b49c26'
${ noResults }
matrix-spec/proposals/2229-rebind-existing-3pid.md

4.1 KiB
Raw Blame History

Allowing 3PID Owners to Rebind

3PID
    noun

    A "third-party identifier" such as an email address or phone number, that
    can be tied to your Matrix ID in order for your contacts outside of
    Matrix to find you, typically with the help of an identity server.

Identity server
    noun

    A queryable server that holds mappings between 3PIDs and Matrix IDs.

Bind
    verb

    Create a mapping between a 3PID and a Matrix ID. Useful for people to
    find a user based on their existing third-party contact information.

As part of the on-going privacy work, Matrix client applications are attempting to make the concept of an identity server clearer to the user, as well as allowing a user to interact with multiple identity servers while logged in. In facilitating this, Matrix clients should be able to allow logged-in users the ability to pick an identity server, see what 3PIDs they currently have bound to their Matrix ID, and bind/unbind addresses as they desire.

When implementating this functionality, a technicality in the spec was found to prevent the ability to bind the same 3PID to multiple identity servers. The line "The homeserver must check that the given email address is not already associated with an account on this homeserver." appears under the POST /_matrix/client/r0/account/3pid/email/requestToken endpoint description. The same goes for the equivalent msisdn (phone) endpoint.

When a user binds their 3PID through a homeserver to identity server A, the homeserver keeps a record and attaches the address to the local account. Then, if the user switches to identity server B to try and do the same, the homeserver will reject the second request as this address has already been bound.

Proposal

This proposal calls for allowing 3PID owners to rebind their 3PIDs using the POST /_matrix/client/r0/account/3pid/email/requestToken and POST /_matrix/client/r0/account/3pid/msisdn/requestToken endpoints by extending the definition of what homeservers should check before rejecting a bind.

Homeservers should reject the binding of a 3PID if it already been bound, unless the requesting user is the one who originally bound that 3PID. If so, then they should be able to bind it again and again if they so choose.

In doing so, users would be able to bind their 3PIDs to multiple identity servers, even if the homeserver has already been made aware of it.

Tradeoffs

Identity servers will still let 3PIDs be rebound to another Matrix ID, while a single homeserver won't let a 3PID transition between two users. If one thinks about typical internet services however, you aren't allowed to simply take an email address from another account even if you have control of it.

Potential issues

Newer clients will expect homeservers to allow them to switch between identity servers and bind/rebind emails as they please. If dealing with an older homeserver, clients will receive an HTTP 400 M_THREEPID_IN_USE. Clients should be prepared to understand that this may just mean they are dealing with an old homeserver, versus the 3PID already being bound on this homeserver by another user.

Homeservers will need to keep track of each identity server that an address has been bound with, and upon user account deactivation, should attempt to unbind all of them.

Security considerations

None.

Conclusion

By lifting the restriction of not allowing a user to bind a 3PID multiple times, we unlock the ability to interact with multiple identity servers on the same account. This not only allows the user to play around and gain a better understanding of the purpose of an identity server, but it is also one step towards further decentralisation in the identity server space.