Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC2967: API scopes #2967

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

MSC2967: API scopes #2967

wants to merge 13 commits into from

Conversation

sandhose
Copy link
Member

@sandhose sandhose commented Jan 14, 2021
edited
Loading

Rendered

  • Spec is feature complete
    • Device handling
    • Allow for APIs other than Client-Server in the urn:matrix namespace
    • Security considerations section
  • Reviewed for consistency with MSC3861
  • Implementations believed to be complete enough

Dependencies:

Implementations:

Homeservers

Homeservers:

  • Synapse with Matrix Authentication Service in OIDC Playground: https://auth-oidc.element.dev
    • urn:matrix:client:api:*
    • urn:matrix:client:device:XXXX

Clients

Clients need to request scopes appropriately.

  • Element X iOS and Android
    • urn:matrix:client:api:*
    • urn:matrix:client:device:XXXX
  • Element Web
    • urn:matrix:client:api:*
    • urn:matrix:client:device:XXXX
  • hydrogen
    • urn:matrix:client:api:*
    • urn:matrix:client:device:XXXX
  • files-sdk-demo
    • urn:matrix:client:api:*
    • urn:matrix:client:device:XXXX

@turt2live turt2live changed the title MSC2967: [WIP] API scope restriction [WIP] MSC2967: API scope restriction Jan 14, 2021
@turt2live turt2live marked this pull request as draft January 14, 2021 17:28
@turt2live turt2live added kind:feature MSC for not-core and not-maintenance stuff proposal A matrix spec change proposal labels Jan 14, 2021
This was referenced Jan 15, 2021
Open
Closed
erkinalp
erkinalp suggested changes Jan 31, 2021
View reviewed changes
Copy link

@erkinalp erkinalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't use the word sudo as we do not have a concept of superusers or substitute users in Matrix.

proposals/2967-api-scopes.md Outdated Show resolved Hide resolved
@aaronraimist
Copy link
Contributor

Related: https://github.com/matrix-org/matrix-doc/issues/2889

@turt2live turt2live added the needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. label Jun 8, 2021
@hughns hughns mentioned this pull request May 25, 2022
Open
@zecakeh zecakeh mentioned this pull request Jul 25, 2022
Merged
@hughns hughns changed the title [WIP] MSC2967: API scope restriction [WIP] MSC2967: API scopes Aug 3, 2022
@hughns hughns mentioned this pull request Aug 4, 2022
Draft
@hughns hughns changed the title [WIP] MSC2967: API scopes [WIP] MSC2967: OIDC API scopes Feb 28, 2023
@turt2live turt2live added the matrix-2.0 Required for Matrix 2.0 label Mar 3, 2023
clokep
clokep reviewed May 16, 2023
View reviewed changes
proposals/2967-api-scopes.md

#### Device ID handling

Presently a device ID is typically generated by the homeserver and is associated with a specific access token. In OAuth 2.0 there is no such thing as a session and so a mapping cannot be handled using the same mechanism.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still true after refresh tokens (MSC2918)? I thought we did a bunch of work in Synapse related to this recently, but maybe I'm confusing different types of tokens.

clokep
clokep reviewed May 16, 2023
View reviewed changes
proposals/2967-api-scopes.md Outdated

The Device ID handling involves a change in where device IDs are generated. This is discussed in MSC2964. On the OIDC Provider side the device ID proposal requires the use of dynamic scopes. That is, the specific scope is a templated form rather than being static. This is not currently supported by some OpenID Providers (e.g. Okta and Auth0).

The addition of the `WWW-Authenticate` header could cause issue with some clients.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The header itself or attempting to parse it? We could also provider a matching errcode if that's useful?

@kerryarchibald kerryarchibald mentioned this pull request Jun 13, 2023
Closed
@kerryarchibald kerryarchibald mentioned this pull request Jun 23, 2023
Closed
@hughns @clokep
Update proposals/2967-api-scopes.md
8ec2d7c 
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
@zecakeh zecakeh mentioned this pull request Aug 5, 2023
Merged
tonkku107
tonkku107 reviewed Aug 30, 2023
View reviewed changes
proposals/2967-api-scopes.md

#### Device ID handling

Presently a device ID is typically generated by the homeserver and is associated with a specific access token. In OAuth 2.0 there is no such thing as a session and so a mapping cannot be handled using the same mechanism.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In OAuth 2.0 there is no such thing as a session and so a mapping cannot be handled using the same mechanism.

In OIDC they define a sid (Session ID) claim within the id_token in the Front-Channel Logout spec (also referenced in other specs)

I would also like to mention that since clients are expected to use dynamic registration, client_ids resemble device IDs quite a bit

@hughns hughns mentioned this pull request May 10, 2024
Closed
@sandhose sandhose changed the base branch from old_master to main September 3, 2024 11:35
@sandhose
Rework MSC
f65aef3 
- Remove insufficient privilege response
- Remove guest scopes
- Reword some parts
@sandhose sandhose changed the title [WIP] MSC2967: OIDC API scopes MSC2967: OIDC API scopes Sep 16, 2024
@sandhose sandhose marked this pull request as ready for review September 16, 2024 13:11
@sandhose sandhose changed the title MSC2967: OIDC API scopes MSC2967: API scopes Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clokep clokep clokep left review comments

@tonkku107 tonkku107 tonkku107 left review comments

@hughns hughns hughns left review comments

@kegsay kegsay kegsay left review comments

@erkinalp erkinalp erkinalp requested changes

Assignees
No one assigned
Labels
kind:feature MSC for not-core and not-maintenance stuff matrix-2.0 Required for Matrix 2.0 needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@sandhose @aaronraimist @clokep @tonkku107 @erkinalp @hughns @kegsay @turt2live