mirror of
https://github.com/matrix-org/matrix-spec
synced 2026-04-26 04:24:10 +02:00
Compare commits
4 commits
29cc1bfc85
...
6bc443e809
| Author | SHA1 | Date | |
|---|---|---|---|
|
6bc443e809 | ||
|
|
32b1f0514d | ||
|
|
f0a1ee14d9 | ||
|
|
ae9a8c319f |
1
changelogs/client_server/newsfragments/2151.feature
Normal file
1
changelogs/client_server/newsfragments/2151.feature
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Add the OAuth 2.0 based authentication API, as per [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) and its sub-proposals.
|
||||||
1
changelogs/client_server/newsfragments/2158.feature
Normal file
1
changelogs/client_server/newsfragments/2158.feature
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
Add `/_matrix/client/v1/room_summary/{roomIdOrAlias}` and extend `/_matrix/client/v1/rooms/{roomId}/hierarchy` with the new optional properties `allowed_room_ids`, `encryption` and `room_version` as per [MSC3266](https://github.com/matrix-org/matrix-spec-proposals/pull/3266).
|
||||||
|
|
@ -1481,6 +1481,55 @@ MAY reject weak passwords with an error code `M_WEAK_PASSWORD`.
|
||||||
|
|
||||||
### OAuth 2.0 API
|
### OAuth 2.0 API
|
||||||
|
|
||||||
|
#### Token revocation
|
||||||
|
|
||||||
|
When a user wants to log out from a client, the client SHOULD use OAuth 2.0
|
||||||
|
token revocation as defined in [RFC 7009](https://datatracker.ietf.org/doc/html/rfc7009).
|
||||||
|
|
||||||
|
The client makes a `POST` request to the `revocation_endpoint` that can be found
|
||||||
|
in the authorization server metadata.
|
||||||
|
|
||||||
|
The body of the request includes the following parameters, encoded as
|
||||||
|
`application/x-www-form-urlencoded`:
|
||||||
|
|
||||||
|
- `token`: This parameter MUST contain either the access token or the refresh
|
||||||
|
token to be revoked.
|
||||||
|
- `token_type_hint`: This parameter is OPTIONAL, and if present, MUST have a
|
||||||
|
value of either `access_token` or `refresh_token`. The server MAY use this
|
||||||
|
value to optimize the token lookup process.
|
||||||
|
- `client_id`: The client identifier obtained during client registration. This
|
||||||
|
parameter is OPTIONAL.
|
||||||
|
|
||||||
|
If the `client_id` is not provided, or does not match the client associated
|
||||||
|
with the token, the server SHOULD still revoke the token. This behavior is
|
||||||
|
meant to help good actors like secret scanning tools to proactively revoke
|
||||||
|
leaked tokens. The server MAY also warn the user that one of their sessions
|
||||||
|
may be compromised in this scenario.
|
||||||
|
|
||||||
|
For example, revoking using the access token:
|
||||||
|
|
||||||
|
```
|
||||||
|
POST /oauth2/revoke HTTP/1.1
|
||||||
|
Host: auth.example.com
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
|
||||||
|
token=mat_ooreiPhei2wequu9fohkai3AeBaec9oo&
|
||||||
|
token_type_hint=access_token&
|
||||||
|
client_id=s6BhdRkqt3
|
||||||
|
```
|
||||||
|
|
||||||
|
The server MUST revoke both the access token and refresh token associated with
|
||||||
|
the token provided in the request.
|
||||||
|
|
||||||
|
The server SHOULD return one of the following responses:
|
||||||
|
|
||||||
|
- If the token is already revoked or invalid, the server returns a `200 OK`
|
||||||
|
response
|
||||||
|
- If the client is not authorized to revoke the token, the server returns a
|
||||||
|
`401 Unauthorized` response
|
||||||
|
- For other errors, the server returns a `400 Bad Request` response with error
|
||||||
|
details
|
||||||
|
|
||||||
### Account moderation
|
### Account moderation
|
||||||
|
|
||||||
#### Account locking
|
#### Account locking
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,8 @@ title: "PublishedRoomsChunk"
|
||||||
properties:
|
properties:
|
||||||
canonical_alias:
|
canonical_alias:
|
||||||
type: string
|
type: string
|
||||||
|
format: mx-room-alias
|
||||||
|
pattern: "^#"
|
||||||
description: The canonical alias of the room, if any.
|
description: The canonical alias of the room, if any.
|
||||||
example: "#general:example.org"
|
example: "#general:example.org"
|
||||||
name:
|
name:
|
||||||
|
|
@ -29,6 +31,8 @@ properties:
|
||||||
example: 42
|
example: 42
|
||||||
room_id:
|
room_id:
|
||||||
type: string
|
type: string
|
||||||
|
format: mx-room-id
|
||||||
|
pattern: "^!"
|
||||||
description: The ID of the room.
|
description: The ID of the room.
|
||||||
example: "!abcdefg:example.org"
|
example: "!abcdefg:example.org"
|
||||||
topic:
|
topic:
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,8 @@ allOf:
|
||||||
type: array
|
type: array
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
|
format: mx-room-id
|
||||||
|
pattern: "^!"
|
||||||
description: |-
|
description: |-
|
||||||
If the room is a [restricted room](/server-server-api/#restricted-rooms), these are the room IDs which
|
If the room is a [restricted room](/server-server-api/#restricted-rooms), these are the room IDs which
|
||||||
are specified by the join rules. Empty or omitted otherwise.
|
are specified by the join rules. Empty or omitted otherwise.
|
||||||
|
|
|
||||||
|
|
@ -46,7 +46,13 @@ paths:
|
||||||
required: true
|
required: true
|
||||||
example: "#monkeys:matrix.org"
|
example: "#monkeys:matrix.org"
|
||||||
schema:
|
schema:
|
||||||
type: string
|
oneOf:
|
||||||
|
- type: string
|
||||||
|
format: mx-room-id
|
||||||
|
pattern: "^!"
|
||||||
|
- type: string
|
||||||
|
format: mx-room-alias
|
||||||
|
pattern: "^#"
|
||||||
- in: query
|
- in: query
|
||||||
name: via
|
name: via
|
||||||
description: |-
|
description: |-
|
||||||
|
|
@ -60,6 +66,7 @@ paths:
|
||||||
type: array
|
type: array
|
||||||
items:
|
items:
|
||||||
type: string
|
type: string
|
||||||
|
format: mx-server-name
|
||||||
responses:
|
responses:
|
||||||
"200":
|
"200":
|
||||||
description: A summary of the room.
|
description: A summary of the room.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue