From 0617aced7c4ea119e204983977fb5e8e061eac77 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travisr@matrix.org>
Date: Mon, 10 Jun 2024 16:50:05 -0600
Subject: [PATCH] C2S: Annotate IdP icon spec with media auth implications

---
 .../client-server/definitions/sso_login_flow.yaml    | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/data/api/client-server/definitions/sso_login_flow.yaml b/data/api/client-server/definitions/sso_login_flow.yaml
index 3b95e664..48f193be 100644
--- a/data/api/client-server/definitions/sso_login_flow.yaml
+++ b/data/api/client-server/definitions/sso_login_flow.yaml
@@ -53,6 +53,18 @@ properties:
           description: |-
             Optional `mxc://` URI to provide an image/icon representing the IdP.
             Intended to be shown alongside the `name` if provided.
+
+            {{% boxes/note %}}
+            Clients will need to use the deprecated [`/download`](/client-server-api/#get_matrixmediav3downloadservernamemediaid)
+            and [`/thumbnail`](/client-server-api/#get_matrixmediav3thumbnailservernamemediaid)
+            endpoints to retrieve this media item because clients will not have
+            an access token they can authenticate with yet. Servers SHOULD ensure
+            media used for IdP icons is excluded from the freeze described by the
+            [Content Repository module's Client Behaviour section](/client-server-api/#content-repo-client-behaviour).
+
+            This may be addressed in the future with proposals like [MSC4148](https://github.com/matrix-org/matrix-spec-proposals/pull/4148),
+            or removed entirely through the transition to OIDC.
+            {{% /boxes/note %}}
           example: "mxc://example.org/abc123"
         brand:
           type: string