-
Notifications
You must be signed in to change notification settings - Fork 416
MSC4191: Account management for OAuth 2.0 API #4191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
sandhose
wants to merge
12
commits into
main
Choose a base branch
from
quenting/account-deeplink
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+133
−0
Open
Changes from 9 commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
ce12c59
WIP: Account management deep-linking
sandhose 82d8754
Update to reference OAuth 2.0 API
hughns 9b5842a
Update title for MSC4191 deep-linking proposal
hughns 9322a19
Clarifications and relate to existing wording in spec
hughns f1cc9d6
Update proposals/4191-account-deeplink.md
hughns 0b27bdd
Add note about malicious link mitigation
hughns de46f56
Apply suggestions from code review
hughns 9e1fbf5
Update action values and reorder sections for readability
hughns d9bdee2
Update proposals/4191-account-deeplink.md
hughns 46b463e
Update proposals/4191-account-deeplink.md
hughns 2b12d0d
Update cross-signing reset action with additional details
hughns ea6f4a9
Apply suggestions from code review
hughns File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| # MSC4191: Account management for OAuth 2.0 API | ||
|
|
||
| This proposal builds on the [OAuth 2.0 API](https://spec.matrix.org/v1.15/client-server-api/#oauth-20-api) that was | ||
| added in v1.15 of the spec. | ||
|
|
||
| The current spec makes reference to the "homeserver's web UI" in several places without defining how that is discovered | ||
| nor what you can use it for. | ||
|
|
||
| This proposal defines how that discovery happens and a way to deep-link to the account management capabilities of the | ||
| homeserver to allow the user to complete the account management operations in a browser independently of the client. | ||
|
|
||
| In doing so, this proposal also resolves the issue that there is currently no specced way to delete devices using the | ||
| OAuth 2.0 API (because the API endpoints to delete devices are not supported when using the OAuth 2.0 API). | ||
|
|
||
| ## Proposal | ||
|
|
||
| ### Additional authentication server metadata | ||
|
|
||
| This proposal introduces two new optional fields in the authentication | ||
| [server metadata discovery](https://spec.matrix.org/v1.15/client-server-api/#server-metadata-discovery): | ||
|
|
||
| - `account_management_uri`: the URL where the user is able to access the account management capabilities of the | ||
| homeserver. This is what is currently referred to as the "homeserver's web UI" | ||
| - `account_management_actions_supported`: a JSON array of actions that the account management URL supports | ||
|
|
||
| Note that the intent of this proposal is for these values to potentially end up in a OpenID Connect specification, or at | ||
| least formally registered in the | ||
| [IANA Registry for Server Metadata](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata). | ||
| This is why the metadata fields are not prefixed with `org.matrix.`, but the actions themselves are. | ||
|
|
||
| ### Account management URL parameters | ||
|
|
||
| The account management URL (as provided above) may accept the following additional query parameters: | ||
hughns marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| - `action` - Can be used to indicate the action that the user wishes to take, as defined below. | ||
| - `device_id` - This can be used to identify a particular session for `org.matrix.device_view` and | ||
| `org.matrix.device_delete`. This is the Matrix device ID. | ||
|
|
||
| For example, if a user wishes to sign out a session for the device `ABCDEFGH` where the advertised | ||
| `account_management_uri` was `https://account.example.com/myaccount` the client could open a link to | ||
| `https://account.example.com/myaccount?action=org.matrix.session_end&device_id=ABCDEFGH`. | ||
hughns marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
hughns marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| Not all actions need to be supported by the account management URL, and the client should only use the actions | ||
| advertised in the `account_management_actions_supported` array from above. | ||
|
|
||
| If the `org.matrix.device_view` or `org.matrix.device_delete` are advertised as supported by the | ||
| server then the server should support the `device_id` parameter. | ||
|
|
||
| ### Possible actions | ||
|
|
||
| The following account management actions are defined by this MSC: | ||
|
|
||
| - `org.matrix.profile` - The user wishes to view/edit their profile (name, avatar, contact details). | ||
| - `org.matrix.devices_list` - The user wishes to view a list of their devices. | ||
| - `org.matrix.device_view` - The user wishes to view the details of a specific device. | ||
| - `org.matrix.device_delete` - The user wishes to delete/logout a specific device. | ||
| - `org.matrix.account_deactivate` - The user wishes to deactivate their account. | ||
hughns marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| Subsequent MSCs may extend this list. | ||
|
|
||
| These actions are prefixed with the full `org.matrix.` (rather than the more compact `m.`) because | ||
| if the IANA registration/OIDC adoption goes ahead then these values would be more clearly namespaced | ||
| to Matrix. | ||
|
|
||
| ## Alternatives | ||
|
|
||
| ### Add UIA support to OAuth 2.0 API so that the existing delete devices endpoints can be used | ||
|
|
||
| n.b. This isn't a complete alternative to this full MSC and instead just considers an alternative way for device | ||
| deletion to happen. | ||
|
|
||
| The following endpoints are currently not supported when using the OAuth 2.0 API: | ||
|
|
||
| - [`POST /_matrix/client/v3/delete_devices`](https://spec.matrix.org/v1.16/client-server-api/#post_matrixclientv3delete_devices) | ||
| - [`DELETE /_matrix/client/v3/devices/{deviceId}`](https://spec.matrix.org/v1.16/client-server-api/#delete_matrixclientv3devicesdeviceid) | ||
|
|
||
| The reason given in the spec is: | ||
|
|
||
| > **WARNING**: Since this endpoint uses User-Interactive Authentication, it cannot be used when the access token | ||
| > was obtained via the OAuth 2.0 API. | ||
|
|
||
| As an alternative to the proposed `org.matrix.session_end` action the above device deletion endpoints could be instead | ||
hughns marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| be used *if* the [User-interactive API](https://spec.matrix.org/v1.15/client-server-api/#user-interactive-api-in-the-rest-api) | ||
| was compatible with the OAuth 2.0 API. | ||
|
|
||
| ### Advertise the account management capabilities in the well-known discovery | ||
|
|
||
| An earlier iteration of [MSC2965](https://github.com/matrix-org/matrix-spec-proposals/pull/2965) (which formed part of | ||
| the current OAuth 2.0 API) proposed using a | ||
| [well-known style discovery mechanism](https://github.com/sandhose/matrix-spec-proposals/blob/msc/sandhose/oidc-discovery/proposals/2965-auth-metadata.md#discovery-via-existing-well-known-mechanism) | ||
| for the account management URL. | ||
|
|
||
| For consistency it is proposed that the | ||
| [server metadata discovery](https://spec.matrix.org/v1.15/client-server-api/#server-metadata-discovery) API is used | ||
| instead. | ||
|
|
||
| ### Advertise the account management capabilities in a C-S API endpoint | ||
|
|
||
| The metadata could be advertised in a metadata endpoint separate to the | ||
| [server metadata discovery](https://spec.matrix.org/v1.15/client-server-api/#server-metadata-discovery) mechanism. | ||
|
|
||
| ## Security considerations | ||
|
|
||
| For the `org.matrix.session_end` action the | ||
hughns marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| [security considerations](https://spec.matrix.org/v1.15/client-server-api/#security-considerations-6) that are already | ||
| stated for device management apply. | ||
|
|
||
| Consequently for the destructive `org.matrix.session_end` and `org.matrix.account_deactivate` actions the server SHOULD | ||
hughns marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| require re-authentication (or authentication through an additional factor) before allowing the user to complete the | ||
| action. | ||
|
|
||
| Because the format of these links are public and the device IDs are visible to other Matrix users it is trivial for an | ||
| attacker to craft a "malicious" link that targets a destructive action. To mitigate this risk, for the destructive | ||
| actions (`org.matrix.session_end` and `org.matrix.account_deactivate`) the server MUST inform the user of what the | ||
hughns marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| action is prior to it being executed (in addition to any re-authentication as above). | ||
|
|
||
| ## Unstable prefixes | ||
|
|
||
| Whilst in development the fields in the server metadata discovery should be prefixed as follows: | ||
|
|
||
| - `org.matrix.msc4191.account_management_uri` instead of `account_management_uri` | ||
| - `org.matrix.msc4191.account_management_actions_supported` instead of `account_management_actions_supported` | ||
|
|
||
| For future reference, the following unstable action values are known to have been used in prototype | ||
| implementations: | ||
|
|
||
| - `org.matrix.profile`: `profile` | ||
| - `org.matrix.devices_list`: `sessions_list`, `org.matrix.sessions_list` | ||
| - `org.matrix.device_view`: `session_view`, `org.matrix.session_view` | ||
| - `org.matrix.device_delete` - `session_end`, `org.matrix.session_end` | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.