Skip to content

MSC2964: Usage of OAuth 2.0 authorization code grant and refresh token grant #2964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 42 commits into from
Apr 5, 2025
Merged

MSC2964: Usage of OAuth 2.0 authorization code grant and refresh token grant #2964

merged 42 commits into from
Apr 5, 2025

Conversation

sandhose
Copy link
Member

@sandhose sandhose commented Jan 14, 2021
edited by turt2live
Loading

Rendered

Related: matrix-org/matrix-spec#636

Status:

  • Spec is feature complete
  • Reviewed for consistency with MSC3861
  • Implementations believed to be complete enough

Part of the following proposal:

Implementations:

Homeservers

Clients

In OIDC-native mode:

SCT stuff:

checklist

FCP tickyboxes

@turt2live turt2live changed the title MSC2964: [WIP] Matrix profile for OAuth 2.0 [WIP] MSC2964: Matrix profile for OAuth 2.0 Jan 14, 2021
@turt2live turt2live marked this pull request as draft January 14, 2021 17:27
@turt2live turt2live added kind:feature MSC for not-core and not-maintenance stuff proposal A matrix spec change proposal labels Jan 14, 2021
@sandhose
Copy link
Member Author

Related issue: matrix-org/matrix-spec#636

Related MSCs: #2965, #2966, #2967

In this MSC, there are a few areas that still need work.

First, it outlines different profiles of clients. One important client type that is not yet covered by it are CLI tools.
The natural fit for this would be the client credential grant, taking form of either a client_secret or a secret key for JWT signing.
The problem with this is that it authenticates as "the client", not a user. How users should delegate authorization to other clients is a bit unclear. Maybe RFC 8693 helps with that.

Second, there are the parts that we enforce.
For example, I chose to enforce PKCE for public clients. Since most of Matrix clients are public, I think it makes sense to enforce the current best practices here.
Another example would be credentials for confidential clients. Right now nothing is specified, but it might make sense to encourage the usage of keypairs instead of client secrets. If we encourage that, should it be enforced?
Last example, in the part about the request to the authz endpoint, I mention that the state parameter should be unpredictable. Some profiles go further than that to enforce a minimum entropy for this parameter.

Third there is device handling in general. MSC2967 talks a bit about this, but there will definitely be some changes to the device API.
An example of this is that we might want to surface client metadata when querying the devices instead of just an arbitrary name.
Another open question is should a device be deleted on logout? If so, how do we handle device that are used by multiple clients (which is technically possible with the solution proposed in #2967)?

Sorunome
Sorunome reviewed Jan 15, 2021
View reviewed changes
Sorunome
Sorunome reviewed Jan 15, 2021
View reviewed changes
Sorunome
Sorunome reviewed Jan 15, 2021
View reviewed changes
Sorunome
Sorunome reviewed Jan 15, 2021
View reviewed changes
Sorunome
Sorunome reviewed Jan 16, 2021
View reviewed changes
@turt2live turt2live added the needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. label Jun 8, 2021
@richvdh richvdh mentioned this pull request Jun 16, 2021
Merged
@richvdh richvdh mentioned this pull request Dec 20, 2021
Open
@thejhh thejhh mentioned this pull request Apr 25, 2022
Open
ShadowJonathan
ShadowJonathan reviewed May 16, 2022
View reviewed changes
@hughns hughns mentioned this pull request May 25, 2022
Open
@hughns hughns changed the title [WIP] MSC2964: Matrix profile for OAuth 2.0 [WIP] MSC2964: Delegation of auth from homeserver to OIDC Provider May 25, 2022
@hughns hughns mentioned this pull request Aug 4, 2022
Merged
dhenneke
dhenneke reviewed Jan 30, 2023
View reviewed changes
dhenneke
dhenneke reviewed Jan 30, 2023
View reviewed changes
@sandhose
Copy link
Member Author

@turt2live I believe I've now resolved all threads, which should complete the FCP checklist

anoadragon453
anoadragon453 approved these changes Mar 23, 2025
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All non-blocking concerns.

sandhose and others added 2 commits March 25, 2025 11:01
clokep
clokep reviewed Mar 25, 2025
View reviewed changes
@anoadragon453
Copy link
Member

@mscbot resolve FCP checklist incomplete

@mscbot
Copy link
Collaborator

mscbot commented Mar 31, 2025

🔔 This is now entering its final comment period, as per the review above. 🔔

@mscbot mscbot added final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. and removed proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. unresolved-concerns This proposal has at least one outstanding concern labels Mar 31, 2025
@turt2live turt2live moved this from Ready for FCP ticks to In FCP in Spec Core Team Backlog Mar 31, 2025
@mscbot
Copy link
Collaborator

mscbot commented Apr 5, 2025

The final comment period, with a disposition to merge, as per the review above, is now complete.

@mscbot mscbot added finished-final-comment-period and removed disposition-merge final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. labels Apr 5, 2025
@turt2live turt2live merged commit 52db4c6 into matrix-org:main Apr 5, 2025
1 check passed
@turt2live turt2live moved this from In FCP to Requires spec writing in Spec Core Team Backlog Apr 5, 2025
@turt2live turt2live added spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec and removed finished-final-comment-period labels Apr 5, 2025
@NinekoTheCat NinekoTheCat mentioned this pull request Apr 18, 2025
Open
@zecakeh zecakeh mentioned this pull request May 24, 2025
Merged
3 tasks
@zecakeh
Copy link
Contributor

zecakeh commented May 25, 2025

spec PR: matrix-org/matrix-spec#2150

@tulir tulir added spec-pr-in-review A proposal which has been PR'd against the spec and is in review and removed spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec labels May 25, 2025
@turt2live turt2live moved this from Requires spec writing to Requires spec PR review in Spec Core Team Backlog Jun 10, 2025
@richvdh
Copy link
Member

richvdh commented Jun 20, 2025

spec PR: matrix-org/matrix-spec#2150

merged! 🎉

@richvdh richvdh added merged A proposal whose PR has merged into the spec! and removed spec-pr-in-review A proposal which has been PR'd against the spec and is in review labels Jun 20, 2025
@turt2live turt2live moved this from Requires spec PR review to Done to some definition in Spec Core Team Backlog Jun 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deepbluev7 deepbluev7 deepbluev7 left review comments

@zecakeh zecakeh zecakeh left review comments

@dbkr dbkr dbkr left review comments

@Johennes Johennes Johennes left review comments

@MTRNord MTRNord MTRNord left review comments

@ara4n ara4n ara4n left review comments

@dhenneke dhenneke dhenneke left review comments

@ShadowJonathan ShadowJonathan ShadowJonathan left review comments

@turt2live turt2live turt2live left review comments

@Sorunome Sorunome Sorunome left review comments

@tonkku107 tonkku107 tonkku107 left review comments

@hughns hughns hughns left review comments

@clokep clokep clokep left review comments

@kate-shine kate-shine kate-shine left review comments

@richvdh richvdh richvdh approved these changes

@anoadragon453 anoadragon453 anoadragon453 approved these changes

Assignees
No one assigned
Labels
kind:core MSC which is critical to the protocol's success matrix-2.0 Required for Matrix 2.0 merged A proposal whose PR has merged into the spec! proposal A matrix spec change proposal
Projects
Spec Core Team Backlog
Status: Done to some definition
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.