matrix-spec/drafts/macaroons_caveats.rst

Macaroon Caveats
================

`Macaroons`_ are issued by Matrix servers as authorization tokens. Macaroons may be restricted by adding caveats to them.

.. _Macaroons: http://theory.stanford.edu/~ataly/Papers/macaroons.pdf

Caveats can only be used for reducing the scope of a token, never for increasing it. Servers are required to reject any macroon with a caveat that they do not understand.

Some caveats are specified in this specification, and must be understood by all servers. The use of non-standard caveats is allowed.

All caveats must take the form::

  key operator value

where:
 - ``key`` is a non-empty string drawn from the character set [A-Za-z0-9_]
 - ``operator`` is a non-empty string which does not contain whitespace
 - ``value`` is a non-empty string
 
And these are joined by single space characters.

Specified caveats:

+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
| Caveat name | Description                                      | Legal Values                                                                                   |
+=============+==================================================+================================================================================================+
| gen         | Generation of the macaroon caveat spec.          | 1                                                                                              |
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
| user_id     | ID of the user for which this macaroon is valid. | Pure equality check. Operator must be =.                                                       |
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
| type        | The purpose of this macaroon.                    | - ``access``: used to authorize any action except token refresh                                |
|             |                                                  | -  ``refresh``: only used to authorize a token refresh                                         |
|             |                                                  | - ``login``: issued as a very short-lived token by third party login flows; proves that        |
|             |                                                  |   authentication has happened but doesn't grant any privileges other than being able to be     |
|             |                                                  |   exchanged for other tokens.                                                                  |
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
| time        | Time before/after which this macaroon is valid.  | A POSIX timestamp in milliseconds (in UTC).                                                    |
|             |                                                  | Operator < means the macaroon is valid before the timestamp, as interpreted by the server.     |
|             |                                                  | Operator > means the macaroon is valid after the timestamp, as interpreted by the server.      |
|             |                                                  | Operator == means the macaroon is valid at exactly the timestamp, as interpreted by the server.|
|             |                                                  | Note that exact equality of time is largely meaningless.                                       |
+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+
Add draft macaroon caveat specification 2015-08-19 16:00:22 +02:00			`Macaroon Caveats`
			`================`

Respond to some review comments 2015-09-25 14:17:11 +02:00			`Macaroons`_ are issued by Matrix servers as authorization tokens. Macaroons may be restricted by adding caveats to them.

Remove extraneous ) 2015-09-25 14:18:09 +02:00			`.. _Macaroons: http://theory.stanford.edu/~ataly/Papers/macaroons.pdf`
Add draft macaroon caveat specification 2015-08-19 16:00:22 +02:00
			`Caveats can only be used for reducing the scope of a token, never for increasing it. Servers are required to reject any macroon with a caveat that they do not understand.`

			`Some caveats are specified in this specification, and must be understood by all servers. The use of non-standard caveats is allowed.`

More formatting fixes 2015-11-10 12:28:27 +01:00			`All caveats must take the form::`
Add draft macaroon caveat specification 2015-08-19 16:00:22 +02:00
More formatting fixes 2015-11-10 12:28:27 +01:00			`key operator value`

			`where:`
			- ``key`` is a non-empty string drawn from the character set [A-Za-z0-9_]
			- ``operator`` is a non-empty string which does not contain whitespace
			- ``value`` is a non-empty string

Add draft macaroon caveat specification 2015-08-19 16:00:22 +02:00			`And these are joined by single space characters.`

			`Specified caveats:`

Clarify == case 2015-09-14 18:13:54 +02:00			`+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+`
			`\| Caveat name \| Description \| Legal Values \|`
Fix table formatting 2015-11-10 12:26:06 +01:00			`+=============+==================================================+================================================================================================+`
Clarify == case 2015-09-14 18:13:54 +02:00			`\| gen \| Generation of the macaroon caveat spec. \| 1 \|`
Fix table formatting 2015-11-10 12:26:06 +01:00			`+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+`
Clarify == case 2015-09-14 18:13:54 +02:00			`\| user_id \| ID of the user for which this macaroon is valid. \| Pure equality check. Operator must be =. \|`
Fix table formatting 2015-11-10 12:26:06 +01:00			`+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+`
More formatting.. 2015-11-10 12:31:31 +01:00			\| type \| The purpose of this macaroon. \| - ``access``: used to authorize any action except token refresh \|
			\| \| \| - ``refresh``: only used to authorize a token refresh \|
			\| \| \| - ``login``: issued as a very short-lived token by third party login flows; proves that \|
			`\| \| \| authentication has happened but doesn't grant any privileges other than being able to be \|`
			`\| \| \| exchanged for other tokens. \|`
Fix table formatting 2015-11-10 12:26:06 +01:00			`+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+`
Clarify == case 2015-09-14 18:13:54 +02:00			`\| time \| Time before/after which this macaroon is valid. \| A POSIX timestamp in milliseconds (in UTC). \|`
Document macaroon type=login 2015-11-09 17:04:31 +01:00			`\| \| \| Operator < means the macaroon is valid before the timestamp, as interpreted by the server. \|`
			`\| \| \| Operator > means the macaroon is valid after the timestamp, as interpreted by the server. \|`
			`\| \| \| Operator == means the macaroon is valid at exactly the timestamp, as interpreted by the server.\|`
			`\| \| \| Note that exact equality of time is largely meaningless. \|`
Clarify == case 2015-09-14 18:13:54 +02:00			`+-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+`