|
| 1 | +# MSC4326: Device masquerading for appservices |
| 2 | + |
| 3 | +*History*: This proposal is split off from [MSC3202: Encrypted Appservices](https://github.com/matrix-org/matrix-spec-proposals/pull/3202). |
| 4 | + |
| 5 | +Appservices today can make requests as any (local) user in their namespace through [identity assertion](https://spec.matrix.org/v1.15/application-service-api/#identity-assertion). |
| 6 | +To support end-to-end encryption and other similar device-centric functionality, appservices need to |
| 7 | +be able to also pick the device ID they are speaking as. |
| 8 | + |
| 9 | +This proposal adds device ID to the identity assertion appservices can already perform, leaving other |
| 10 | +aspects of end-to-end encryption support to other MSCs like MSC3202 (mentioned above). |
| 11 | + |
| 12 | + |
| 13 | +## Proposal |
| 14 | + |
| 15 | +To complement the (optional) `user_id` query string parameter during identity assertion, an also-optional |
| 16 | +`device_id` parameter is also supported. The new `device_id` parameter is only available when `user_id` |
| 17 | +is available to the caller - when authenticating using an `as_token`. |
| 18 | + |
| 19 | +When both a `user_id` and `device_id` are provided, and both are known/registered, the server uses those |
| 20 | +details for the remainder of the request. For many endpoints this means updating the "last seen IP" |
| 21 | +and "last seen timestamp" for the device, though for some endpoints it may mean interacting with the |
| 22 | +device specifically (such as when uploading one-time keys). |
| 23 | + |
| 24 | +If the `device_id` does not already exist on the `user_id`, the server returns a `400 M_UNKNOWN_DEVICE` |
| 25 | +standard error response. |
| 26 | + |
| 27 | +If the `device_id` is present without a `user_id`, the `user_id` is assumed to be the appservice's |
| 28 | +default sender (the user implied by `sender_localpart` in its registration). This is the same behaviour |
| 29 | +as today when the appservice makes such requests. |
| 30 | + |
| 31 | +If the `device_id` is present and the requester is not able to use identity assertion, the request |
| 32 | +continues as though the `device_id` parameter was never present. This copies the behaviour of `user_id`. |
| 33 | + |
| 34 | +### Examples |
| 35 | + |
| 36 | +*All examples assume the `user_id` is within the appservice's scope.* |
| 37 | + |
| 38 | +User ID asserted, but not device ID: |
| 39 | + |
| 40 | +```text |
| 41 | +GET /_matrix/client/v3/account/whoami?user_id=@alice:example.org |
| 42 | +Authorization: Bearer as_token_here |
| 43 | +
|
| 44 | +{ |
| 45 | + "user_id": "@alice:example.org", |
| 46 | + "is_guest": false |
| 47 | +} |
| 48 | +``` |
| 49 | + |
| 50 | +User ID and device ID asserted: |
| 51 | + |
| 52 | +```text |
| 53 | +GET /_matrix/client/v3/account/whoami?user_id=@alice:example.org&device_id=ABC123 |
| 54 | +Authorization: Bearer as_token_here |
| 55 | +
|
| 56 | +{ |
| 57 | + "user_id": "@alice:example.org", |
| 58 | + "is_guest": false, |
| 59 | + "device_id": "ABC123" |
| 60 | +} |
| 61 | +``` |
| 62 | + |
| 63 | +Just device ID asserted: |
| 64 | + |
| 65 | +```text |
| 66 | +GET /_matrix/client/v3/account/whoami?device_id=ABC123 |
| 67 | +Authorization: Bearer as_token_here |
| 68 | +
|
| 69 | +{ |
| 70 | + "user_id": "@the_appservice_sender:example.org", |
| 71 | + "is_guest": false, |
| 72 | + "device_id": "ABC123" |
| 73 | +} |
| 74 | +``` |
| 75 | + |
| 76 | +Nothing asserted: |
| 77 | + |
| 78 | +```text |
| 79 | +GET /_matrix/client/v3/account/whoami |
| 80 | +Authorization: Bearer as_token_here |
| 81 | +
|
| 82 | +{ |
| 83 | + "user_id": "@the_appservice_sender:example.org", |
| 84 | + "is_guest": false |
| 85 | +} |
| 86 | +``` |
| 87 | + |
| 88 | +## Potential issues |
| 89 | + |
| 90 | +Appservices will need to create and manage their users' devices using another proposal or system. An |
| 91 | +example is [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190). |
| 92 | + |
| 93 | + |
| 94 | +## Alternatives |
| 95 | + |
| 96 | +None relevant. |
| 97 | + |
| 98 | + |
| 99 | +## Security considerations |
| 100 | + |
| 101 | +The behaviour of `device_id` is largely copied from `user_id`, so should not increase or decrease an |
| 102 | +appservice's capabilities beyond what it could already do. This is especially true for appservices |
| 103 | +which cover "real" users in their namespaces: while they couldn't (and still can't) access data encrypted |
| 104 | +before using something like [MSC3202](https://github.com/matrix-org/matrix-spec-proposals/pull/3202), |
| 105 | +they could log out whatever devices they don't want and register new ones accordingly. |
| 106 | + |
| 107 | + |
| 108 | +## Unstable prefix |
| 109 | + |
| 110 | +For historical reasons, unstable implementations of this proposal should use `org.matrix.msc3202.device_id` |
| 111 | +instead of `device_id`. |
| 112 | + |
| 113 | +`ORG.MATRIX.MSC4326.M_UNKNOWN_DEVICE` is used as the error code instead of `M_UNKNOWN_DEVICE`. |
| 114 | + |
| 115 | +## Dependencies |
| 116 | + |
| 117 | +None relevant. Some MSCs depend on this MSC's functionality, however. |
0 commit comments