-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3pid authentication #60
Conversation
LoginRequestJson loginRequestJson = parser.parse(req, LoginRequestJson.class); | ||
|
||
// find 3PID locally (only if 'medium' and 'address' are defined in request) | ||
if (StringUtils.isNotBlank(loginRequestJson.getAddress()) && StringUtils.isNotBlank(loginRequestJson.getMedium())) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading the official /_matrix/client/r0/loign endpoint specification, it does not state the precise conditions to differiencate between a regular and a 3PID adress, except for one line in the description of the JSON body parameter medium
which reads:
When logging in using a third party identifier, the medium of the identifier. [...]
So I think the best way found would be to check if the medium is set, and not if medium AND address is set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I correct it.
I realised this condition is actually not necessary.
@@ -0,0 +1,105 @@ | |||
package io.kamax.mxisd.controller.auth.v1.io; | |||
|
|||
public class LoginRequestJson { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't take into account the Reverse engineered /_matrix/client/r0/login endpoint documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't aware of this spec while coding.
I take it into consideration.
// invoke 'login' on homeserver | ||
LoginResponseJson loginResponseJson; | ||
HttpPost httpPost = RestClientUtils.post(urlToLogin, gson.toJson(loginRequestJson)); | ||
CloseableHttpClient client = HttpClients.createDefault(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why create a new client per request? It would be best avoid creating potentially expensive object here, and only do it once when the class is instantiated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was just a "copy" from some other classes (RemoteIdentityServerFetcher.java, RestProvider.java).
By the way, I agreed with you regarding usage of Apache HttpClients. My point is the client shall be instianted once from some kind of singleton class. This comment should be considered for a futur release.
} | ||
|
||
@Override | ||
public String toString() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we actually need this somewhere? If yes, is it really wise to include the password?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's just an habit.
But you're right, I'll "shadow" the pasword.
private String address; | ||
private String password; | ||
private String token; | ||
private String device_id; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gson allows to write fields with Java naming convention, like deviceId
. See GsonUtil for getting a Gson instance with the right settings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't aware of that.
However, from my point of view, I'll prefer to keep this naming, because this class is just a pojo reflecting the spec, I think it is easier to read and make link with the actual spec. (in one sense, the "toString" method reflects exactly the Json data)
… on 'medium' and 'address' fields
774d1aa
to
82c7671
Compare
- [Backends](#backends) | ||
|
||
## Description | ||
Authentication is an enhanced Identity feature of mxisd to ensure coherent and centralized identity management. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Not necessary centralized - you can have several identity stores.
Identity management
might be misleading, as mxisd doesn't do any management, only reads data.
I like the spirit of the sentence, but not the wording :D I also don't have a good idea about the wording at this point
docs/features/authentication.md
Outdated
|
||
It allows to use Identity stores configured in mxisd to authenticate users on your Homeserver. | ||
|
||
This feature can also provide the ability to users to login on the Homeserver using their thirdparty identities provided by this Identity store. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thirdparty identities
is not used anymore else. Let's be consistent throughout the whole documentation. I believe I called it3PIDs
everywhere else.by this Identity store
- which "this"? There is no reference to an identity store in the sentence or paragraph.
docs/features/authentication.md
Outdated
|
||
|
||
## Advanced Authentication | ||
The Authentication feature offers users to login to your Homeserver by using their third party identifier (3PID) registered in your Identity store. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... feature offers users ...
->... feature allows users ...
... to your Homeserver ...
->... to their Homeserver...
... in your Identity store.
->... in an available Identity store.
docs/features/authentication.md
Outdated
|
||
``` | ||
|
||
Steps of user authentication using a third party identifier: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
third party identifier
-> 3PID
docs/features/authentication.md
Outdated
`name` must be the hostname of the URL that clients use when connecting to the Homeserver. | ||
In case the hostname is the same as your Matrix domain, you can use `${matrix.domain}` to auto-populate the value using the `matrix.domain` configuration option and avoid duplicating it. | ||
|
||
value is the base internal URL of the Homeserver, without any /_matrix/.. or trailing /. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
value
instead of value ?
Includes commit 3d26316 from maxidor which allows to test sign-in by using 3PID email without backend:
Just add to application.yaml config file:
(note that this
password
field is not used because the password must be provided by thelogin
request)Note: a method to support GET on
login
(which returns hardcoded JSON message) has been added in order to prevent Riot client displaying an error (405
) message when setting addresses of HS and IS.Requires to configurate Proxy Reverse in Apache and DNS Overwrite as for User Directory feature :
ProxyPass /_matrix/client/r0/login http://localhost:8090/_matrix/client/r0/login
It was working for me according to my Apache configuration, feel free to correct me.
Thus, you should be able to login to your HS using mxisd by typing your 3PID (e.g. you email address) as username and your matrix password.