Merge ca801d1751 into 3e1cbe12f7

Order error codes and remove duplicate M_THREEPID_IN_USE definition (#2336 )
* Order error codes alphabetically * Remove duplicated definition of M_THREEPID_IN_USE * Changelog * With inline comments about keeping them ordered
2026-04-18 09:04:09 +02:00 · 2026-03-17 11:35:20 -06:00 · 2026-03-17 11:35:06 -06:00 · 2026-03-17 10:13:44 -06:00 · 2026-03-06 21:09:59 +01:00
8 changed files with 371 additions and 161 deletions
--- a/changelogs/client_server/newsfragments/2320.feature
+++ b/changelogs/client_server/newsfragments/2320.feature
@ -0,0 +1 @@
+Add the OAuth 2.0 Device Authorization Grant (RFC 8628) as a supported grant type, as per [MSC4341](https://github.com/matrix-org/matrix-spec-proposals/pull/4341).
--- a/changelogs/client_server/newsfragments/2336.clarification
+++ b/changelogs/client_server/newsfragments/2336.clarification
@ -0,0 +1 @@
+Order the common and other error codes alphabetically and remove duplicate `M_THREEPID_IN_USE` definition.
--- a/changelogs/identity_service/newsfragments/2336.clarification
+++ b/changelogs/identity_service/newsfragments/2336.clarification
@ -0,0 +1 @@
+Order the standard error codes alphabetically.
--- a/changelogs/server_server/newsfragments/2326.clarification
+++ b/changelogs/server_server/newsfragments/2326.clarification
@ -0,0 +1 @@
+Clarify the s2s profile query behaviour and responses.
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@ -93,48 +93,27 @@ request being made was invalid.

 These error codes can be returned by any API endpoint:

-`M_FORBIDDEN`
-: Forbidden access, e.g. joining a room without permission, failed login.
-
-`M_UNKNOWN_TOKEN`
-: The access or refresh token specified was not recognised.
-
-: An additional response parameter, `soft_logout`, might be present on the
-response for 401 HTTP status codes. See [the soft logout
-section](#soft-logout) for more information.
-
-`M_MISSING_TOKEN`
-: No access token was specified for the request.
-
-`M_USER_LOCKED`
-: The account has been [locked](#account-locking) and cannot be used at this time.
-
-`M_USER_SUSPENDED`
-: The account has been [suspended](#account-suspension) and can only be used for
-limited actions at this time.
+<!-- Please keep the error codes below in alphabetical order -->

 `M_BAD_JSON`
 : Request contained valid JSON, but it was malformed in some way, e.g.
 missing required keys, invalid values for keys.

-`M_NOT_JSON`
-: Request did not contain valid JSON.
-
-`M_NOT_FOUND`
-: No resource was found for this request.
+`M_FORBIDDEN`
+: Forbidden access, e.g. joining a room without permission, failed login.

 `M_LIMIT_EXCEEDED`
 : Too many requests have been sent in a short period of time. Wait a while
 then try again. See [Rate limiting](#rate-limiting).

-`M_UNRECOGNIZED`
-: The server did not understand the request. This is expected to be returned with
-a 404 HTTP status code if the endpoint is not implemented or a 405 HTTP status
-code if the endpoint is implemented, but the incorrect HTTP method is used.
+`M_MISSING_TOKEN`
+: No access token was specified for the request.

-`M_UNKNOWN_DEVICE`
-: {{% added-in v="1.17" %}} The device ID supplied by the application service does
-not belong to the user ID during [identity assertion](/application-service-api/#identity-assertion).
+`M_NOT_FOUND`
+: No resource was found for this request.
+
+`M_NOT_JSON`
+: Request did not contain valid JSON.

 `M_RESOURCE_LIMIT_EXCEEDED`
 : The request cannot be completed because the homeserver has reached a
@ -181,39 +160,85 @@ limit is a hard limit that cannot be increased.
 `M_UNKNOWN`
 : An unknown error has occurred.

+`M_UNKNOWN_DEVICE`
+: {{% added-in v="1.17" %}} The device ID supplied by the application service does
+not belong to the user ID during [identity assertion](/application-service-api/#identity-assertion).
+
+`M_UNKNOWN_TOKEN`
+: The access or refresh token specified was not recognised.
+
+: An additional response parameter, `soft_logout`, might be present on the
+response for 401 HTTP status codes. See [the soft logout
+section](#soft-logout) for more information.
+
+`M_UNRECOGNIZED`
+: The server did not understand the request. This is expected to be returned with
+a 404 HTTP status code if the endpoint is not implemented or a 405 HTTP status
+code if the endpoint is implemented, but the incorrect HTTP method is used.
+
+`M_USER_LOCKED`
+: The account has been [locked](#account-locking) and cannot be used at this time.
+
+`M_USER_SUSPENDED`
+: The account has been [suspended](#account-suspension) and can only be used for
+limited actions at this time.
+
+<!-- Please keep the error codes above in alphabetical order -->
+
 #### Other error codes

 The following error codes are specific to certain endpoints.

 <!-- TODO: move them to the endpoints that return them -->

-`M_UNAUTHORIZED`
-: The request was not correctly authorized. Usually due to login failures.
+<!-- Please keep the error codes below in alphabetical order -->

-`M_USER_DEACTIVATED`
-: The user ID associated with the request has been deactivated. Typically
-for endpoints that prove authentication, such as [`/login`](#get_matrixclientv3login).
+`M_BAD_STATE`
+: The state change requested cannot be performed, such as attempting to
+unban a user who is not banned.

-`M_USER_IN_USE`
-: Encountered when trying to register a user ID which has been taken.
+`M_CANNOT_LEAVE_SERVER_NOTICE_ROOM`
+: The user is unable to reject an invite to join the server notices room.
+See the [Server Notices](#server-notices) module for more information.
+
+`M_CAPTCHA_INVALID`
+: The Captcha provided did not match what was expected.
+
+`M_CAPTCHA_NEEDED`
+: A Captcha is required to complete the request.
+
+`M_EXCLUSIVE`
+: The resource being requested is reserved by an application service, or
+the application service making the request has not created the resource.
+
+`M_GUEST_ACCESS_FORBIDDEN`
+: The room or resource does not permit guests to access it.
+
+`M_INCOMPATIBLE_ROOM_VERSION`
+: The client attempted to join a room that has a version the server does
+not support. Inspect the `room_version` property of the error response
+for the room's version.
+
+`M_INVALID_PARAM`
+: A parameter that was specified has the wrong value. For example, the
+server expected an integer and instead received a string.
+
+`M_INVALID_ROOM_STATE`
+: Sent when the initial state given to the `createRoom` API is invalid.

 `M_INVALID_USERNAME`
 : Encountered when trying to register a user ID which is not valid.

+`M_MISSING_PARAM`
+: A required parameter was missing from the request.
+
 `M_ROOM_IN_USE`
 : Sent when the room alias given to the `createRoom` API is already in
 use.

-`M_INVALID_ROOM_STATE`
-: Sent when the initial state given to the `createRoom` API is invalid.
-
-`M_THREEPID_IN_USE`
-: Sent when a threepid given to an API cannot be used because the same
-threepid is already in use.
-
-`M_THREEPID_NOT_FOUND`
-: Sent when a threepid given to an API cannot be used because no record
-matching the threepid was found.
+`M_SERVER_NOT_TRUSTED`
+: The client's request used a third-party server, e.g. identity server,
+that this server does not trust.

 `M_THREEPID_AUTH_FAILED`
 : Authentication could not be performed on the third-party identifier.
@ -223,56 +248,35 @@ matching the threepid was found.
 if the server only permits, for example, email addresses from a
 particular domain.

-`M_SERVER_NOT_TRUSTED`
-: The client's request used a third-party server, e.g. identity server,
-that this server does not trust.
+`M_THREEPID_IN_USE`
+: The third party identifier specified by the client is not acceptable because it is
+already in use in some way.
+
+`M_THREEPID_MEDIUM_NOT_SUPPORTED`
+: The homeserver does not support adding a third party identifier of the given medium.
+
+`M_THREEPID_NOT_FOUND`
+: Sent when a threepid given to an API cannot be used because no record
+matching the threepid was found.
+
+`M_TOO_LARGE`
+: The request or entity was too large.
+
+`M_UNAUTHORIZED`
+: The request was not correctly authorized. Usually due to login failures.

 `M_UNSUPPORTED_ROOM_VERSION`
 : The client's request to create a room used a room version that the
 server does not support.

-`M_INCOMPATIBLE_ROOM_VERSION`
-: The client attempted to join a room that has a version the server does
-not support. Inspect the `room_version` property of the error response
-for the room's version.
+`M_USER_DEACTIVATED`
+: The user ID associated with the request has been deactivated. Typically
+for endpoints that prove authentication, such as [`/login`](#get_matrixclientv3login).

-`M_BAD_STATE`
-: The state change requested cannot be performed, such as attempting to
-unban a user who is not banned.
+`M_USER_IN_USE`
+: Encountered when trying to register a user ID which has been taken.

-`M_GUEST_ACCESS_FORBIDDEN`
-: The room or resource does not permit guests to access it.
-
-`M_CAPTCHA_NEEDED`
-: A Captcha is required to complete the request.
-
-`M_CAPTCHA_INVALID`
-: The Captcha provided did not match what was expected.
-
-`M_MISSING_PARAM`
-: A required parameter was missing from the request.
-
-`M_INVALID_PARAM`
-: A parameter that was specified has the wrong value. For example, the
-server expected an integer and instead received a string.
-
-`M_TOO_LARGE`
-: The request or entity was too large.
-
-`M_EXCLUSIVE`
-: The resource being requested is reserved by an application service, or
-the application service making the request has not created the resource.
-
-`M_CANNOT_LEAVE_SERVER_NOTICE_ROOM`
-: The user is unable to reject an invite to join the server notices room.
-See the [Server Notices](#server-notices) module for more information.
-
-`M_THREEPID_MEDIUM_NOT_SUPPORTED`
-: The homeserver does not support adding a third party identifier of the given medium.
-
-`M_THREEPID_IN_USE`
-: The third party identifier specified by the client is not acceptable because it is
-already in use in some way.
+<!-- Please keep the error codes above in alphabetical order -->

 #### Rate limiting

@ -554,7 +558,7 @@ endpoint.

 With the OAuth 2.0 API, a client can obtain an access token by using one of the
 [grant types](#grant-types) supported by the homeserver and authorizing the
-proper [scope](#scope), as demonstrated in the [login flow](#login-flow). To
+proper [scope](#scope), as demonstrated in the [login flows](#login-flows). To
 invalidate the access token the client must use [token revocation](#token-revocation).

 ### Using access tokens
@ -1751,19 +1755,31 @@ authentication type.

 1. [Discover the OAuth 2.0 server metadata](#server-metadata-discovery).
 2. [Register the client with the homeserver](#client-registration).
-3. [Obtain an access token](#login-flow) by authorizing a [scope](#scope) for the client with the [authorization code grant](#authorization-code-grant).
+3. [Obtain an access token](#login-flows) by authorizing a [scope](#scope) for
+   the client with the [authorization code grant](#authorization-code-grant) or
+   [device authorization grant](#device-authorization-grant).
 4. [Refresh the access token](#token-refresh-flow) with the [refresh token grant](#refresh-token-grant) when it expires.
 5. [Revoke the tokens](#token-revocation) when the users wants to log out of the client.

-#### Login flow
+#### Login flows

-Logging in with the OAuth 2.0 API should be done with the [authorization code
-grant](#authorization-code-grant). In the context of the Matrix specification,
-this means requesting a [scope](#scope) including full client-server API
-read/write access and allocating a device ID.
+Logging in and obtaining an access token with the OAuth 2.0 API should be done
+using either the [authorization code grant](#authorization-code-grant) or
+[device authorization grant](#device-authorization-grant). In the context of the
+Matrix specification, this means requesting a [scope](#scope) including full
+client-server API read/write access and allocating a device ID.

-Once the client has retrieved the [server metadata](#server-metadata-discovery),
-it needs to generate the following values:
+##### Authorization code flow
+
+This login flow uses the [authorization code grant](#authorization-code-grant)
+and is suitable for clients where the following criteria are met:
+
+- There is a web browser available for the user to complete authentication and
+  authorization.
+- The client can receive the callback via a redirect from the web browser.
+
+Once the client has retrieved the [server metadata](#server-metadata-discovery)
+the client needs to generate the following values:

 - `device_id`: a unique identifier for this device; see the
  [`urn:matrix:client:device:<device_id>`](#device-id-allocation) scope token.
@ -1904,6 +1920,143 @@ Sample response:
 Finally, the client can call the  [`/whoami`](#get_matrixclientv3accountwhoami)
 endpoint to get the user ID that owns the access token.

+##### Device authorization flow
+
+{{% added-in v="1.18" %}}
+
+This flow uses the [device authorization grant](#device-authorization-grant) to
+allow clients to obtain an access token without needing to directly interact
+with a web browser. Instead, the user completes authorization on a web browser
+that can be a separate device.
+
+This is useful for devices with limited input
+capabilities (such as CLI applications or embedded devices) or where the
+redirect handling may be unreliable (such as a desktop applications).
+
+Once the client has retrieved the [server metadata](#server-metadata-discovery)
+the client needs to generate following value:
+
+- `device_id`: a unique identifier for this device; see the
+  [`urn:matrix:client:device:<device_id>`](#device-id-allocation) scope token.
+
+**Device authorization request**
+
+The client sends a `application/x-www-form-urlencoded` encoded `POST` request to
+the `device_authorization_endpoint` as defined in
+[RFC 8628 section 3.1](https://datatracker.ietf.org/doc/html/rfc8628#section-3.1):
+
+| Parameter   | Value                                                          |
+|-------------|----------------------------------------------------------------|
+| `client_id` | The client ID returned from client registration.               |
+| `scope`     | `urn:matrix:client:api:* urn:matrix:client:device:<device_id>` with the `device_id` generated previously. |
+
+Sample device authorization request:
+
+```
+POST /oauth2/device HTTP/1.1
+Host: account.example.com
+Content-Type: application/x-www-form-urlencoded
+
+client_id=s6BhdRkqt3&scope=urn%3Amatrix%3Aclient%3Aapi%3A%2A%20urn%3Amatrix%3Aclient%3Adevice%3AAABBBCCCDDD
+```
+
+**Device authorization response**
+
+The server responds with a JSON object as defined in
+[RFC 8628 section 3.2](https://datatracker.ietf.org/doc/html/rfc8628#section-3.2),
+containing:
+
+| Parameter                    |                                                                                                                                               |
+|------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|
+| `device_code`                | The device verification code.                                                                                                                 |
+| `user_code`                  | An end-user verification code.                                                                                                                |
+| `verification_uri`           | The end-user verification URI on the authorization server.                                                                                    |
+| `verification_uri_complete`  | Optionally, the URI which doesn't require the user to manually type the `user_code`, designed for non-textual transmission.                   |
+| `expires_in`                 | The lifetime in seconds of the `device_code` and `user_code`.                                                                                 |
+| `interval`                   | The minimum number of seconds the client should wait between polling requests to the token endpoint. If omitted, clients should default to 5. |
+
+It is RECOMMENDED that the server provides a `verification_uri_complete` such
+that the user does not need to type in the `user_code`.
+
+Sample response:
+
+```json
+{
+  "device_code": "GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS",
+  "user_code": "WDJB-MJHT",
+  "verification_uri": "https://account.example.com/link",
+  "verification_uri_complete": "https://account.example.com/link?user_code=WDJB-MJHT",
+  "expires_in": 1800,
+  "interval": 5
+}
+```
+
+**User interaction**
+
+The client conveys the `verification_uri_complete` (and/or `verification_uri`
+and `user_code`) to the user. How the client does this depends on the
+specific device characteristics and use case. For example:
+
+- A CLI application could display the `verification_uri` and `user_code` as text
+  for the user to type into their browser on another device.
+- An embedded device with a screen could encode the `verification_uri_complete`
+  (with fallback to `verification_uri`) as a QR code for the user to scan with
+  their phone.
+- A desktop application running on a platform that does not support callbacks
+  could launch the `verification_uri_complete` (with fallback to
+  `verification_uri`) in the system browser.
+
+The user opens the verification URI in a web browser, which may be on another
+device, and completes authentication and authorization.
+
+**Token polling**
+
+While the user is completing authorization, the client polls the
+`token_endpoint` for the outcome, at intervals no shorter than the `interval`
+value from the device authorization response.
+
+The poll request is a `POST` to the `token_endpoint` with the following
+parameters, encoded as `application/x-www-form-urlencoded` in the body:
+
+| Parameter     | Value                                                          |
+|---------------|----------------------------------------------------------------|
+| `grant_type`  | `urn:ietf:params:oauth:grant-type:device_code`                 |
+| `device_code` | The `device_code` from the device authorization response.      |
+| `client_id`   | The client ID returned from client registration.               |
+
+Sample token polling request:
+
+```
+POST /oauth2/token HTTP/1.1
+Host: account.example.com
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code&device_code=GmRhmhcxhwAzkoEqiMEg_DnyEysNkuNhszIySk9eS&client_id=s6BhdRkqt3
+```
+
+The server responds as defined in [RFC 8628 section
+3.5](https://datatracker.ietf.org/doc/html/rfc8628#section-3.5):
+
+- While authorization is pending, the server returns an `authorization_pending`
+  error (or `slow_down` if the client is polling too frequently).
+- If authorization is denied, the server returns an `access_denied` error.
+- If the device code expires, the server returns an `expired_token` error.
+- On successful authorization, the server returns a JSON object containing the
+  access token, token type, expiration time, refresh token, and scope:
+
+```json
+{
+  "access_token": "2YotnFZFEjr1zCsicMWpAA",
+  "token_type": "Bearer",
+  "expires_in": 299,
+  "refresh_token": "tGz3JOkF0XG5Qx2TlKWIA",
+  "scope": "urn:matrix:client:api:* urn:matrix:client:device:AAABBBCCCDDD"
+}
+```
+
+Finally, the client can call the [`/whoami`](#get_matrixclientv3accountwhoami)
+endpoint to get the user ID that owns the access token.
+
 #### Token refresh flow

 Refreshing a token with the OAuth 2.0 API should be done with the [refresh token
@ -2234,6 +2387,7 @@ The client must also have obtained a `client_id` by [registering with the server

 This specification supports the following grant types:
 - [Authorization code grant](#authorization-code-grant)
+- {{% added-in v="1.18" %}} [Device authorization grant](#device-authorization-grant)
 - [Refresh token grant](#refresh-token-grant)

 ##### Authorization code grant
@ -2258,18 +2412,34 @@ To use this grant, homeservers and clients MUST:
  Encoding Practices](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)
  for clients with an HTTPS redirect URI.

-###### User registration
+##### Device authorization grant

-Clients can signal to the server that the user desires to register a new account
-by initiating the authorization code grant with the `prompt=create` parameter
-set in the authorization request as defined in [Initiating User Registration via
-OpenID Connect 1.0](https://openid.net/specs/openid-connect-prompt-create-1_0.html).
+{{% added-in v="1.18" %}}

-Whether the homeserver supports this parameter is advertised by the
-`prompt_values_supported` authorization server metadata.
+As per [RFC 8628](https://datatracker.ietf.org/doc/html/rfc8628), the device
+authorization grant lets clients on devices with limited input capabilities
+obtain an access token by having the user complete authorization on a separate
+device with a web browser.

-Servers that support this parameter SHOULD show the account registration UI in
-the browser.
+This grant requires the client to know the following [authorization server
+metadata](#server-metadata-discovery):
+
+- `device_authorization_endpoint`
+
+To use this grant, homeservers and clients MUST:
+
+- Support the device authorization grant as per
+  [RFC 8628](https://datatracker.ietf.org/doc/html/rfc8628).
+- Support the [refresh token grant](#refresh-token-grant).
+
+As with the [authorization code grant](#authorization-code-grant), when
+authorization is granted to a client, the homeserver MUST issue a refresh token
+to the client in addition to the access token. The access token and refresh
+token have the same lifetime constraints as described in the [refresh token
+grant](#refresh-token-grant) section.
+
+The full flow for using this grant is described in the
+[device authorization flow](#device-authorization-flow).

 ##### Refresh token grant

@ -2376,6 +2546,22 @@ The server SHOULD return one of the following responses:
 - For other errors, the server returns a `400 Bad Request` response with error
  details

+#### User registration
+
+Clients can signal to the server that the user desires to register a new account
+by initiating the [authorization code grant](#authorization-code-grant) with the `prompt=create` parameter
+set in the authorization request as defined in [Initiating User Registration via
+OpenID Connect 1.0](https://openid.net/specs/openid-connect-prompt-create-1_0.html).
+
+Whether the homeserver supports this parameter is advertised by the
+`prompt_values_supported` authorization server metadata.
+
+Servers that support this parameter SHOULD show the account registration UI in
+the browser.
+
+The `prompt=create` parameter is not supported when using the [device
+authorization grant](#device-authorization-grant).
+
 #### Account management {id="oauth-20-account-management"}

 {{% added-in v="1.18" %}}
--- a/content/identity-service-api.md
+++ b/content/identity-service-api.md
@ -70,26 +70,7 @@ the keys `error` and `errcode` MUST always be present.

 Some standard error codes are below:

-`M_NOT_FOUND`
-: The resource requested could not be located.
-
-`M_MISSING_PARAMS`
-: The request was missing one or more parameters.
-
-`M_INVALID_PARAM`
-: The request contained one or more invalid parameters.
-
-`M_SESSION_NOT_VALIDATED`
-: The session has not been validated.
-
-`M_NO_VALID_SESSION`
-: A session could not be located for the given parameters.
-
-`M_SESSION_EXPIRED`
-: The session has expired and must be renewed.
-
-`M_INVALID_EMAIL`
-: The email address provided was not valid.
+<!-- Please keep the error codes below in alphabetical order -->

 `M_EMAIL_SEND_ERROR`
 : There was an error sending an email. Typically seen when attempting to
@ -98,10 +79,39 @@ verify ownership of a given email address.
 `M_INVALID_ADDRESS`
 : The provided third-party address was not valid.

+`M_INVALID_EMAIL`
+: The email address provided was not valid.
+
+`M_INVALID_PARAM`
+: The request contained one or more invalid parameters.
+
+`M_MISSING_PARAMS`
+: The request was missing one or more parameters.
+
+`M_NO_VALID_SESSION`
+: A session could not be located for the given parameters.
+
+`M_NOT_FOUND`
+: The resource requested could not be located.
+
 `M_SEND_ERROR`
 : There was an error sending a notification. Typically seen when
 attempting to verify ownership of a given third-party address.

+`M_SESSION_EXPIRED`
+: The session has expired and must be renewed.
+
+`M_SESSION_NOT_VALIDATED`
+: The session has not been validated.
+
+`M_THREEPID_IN_USE`
+: The third-party identifier is already in use by another user. Typically
+this error will have an additional `mxid` property to indicate who owns
+the third-party identifier.
+
+`M_UNKNOWN`
+: An unknown error has occurred.
+
 `M_UNRECOGNIZED`
 : The request contained an unrecognised value, such as an unknown token or
 medium.
@ -111,13 +121,7 @@ This is expected to be returned with a 404 HTTP status code if the endpoint is
 not implemented or a 405 HTTP status code if the endpoint is implemented, but
 the incorrect HTTP method is used.

-`M_THREEPID_IN_USE`
-: The third-party identifier is already in use by another user. Typically
-this error will have an additional `mxid` property to indicate who owns
-the third-party identifier.
-
-`M_UNKNOWN`
-: An unknown error has occurred.
+<!-- Please keep the error codes above in alphabetical order -->

 ## Privacy

--- a/data/api/client-server/oauth_server_metadata.yaml
+++ b/data/api/client-server/oauth_server_metadata.yaml
@ -67,8 +67,7 @@ paths:
                    type: string
                    format: uri
                    description: |-
-                      URL of the token endpoint, necessary to use the authorization code grant and
-                      the refresh token grant.
+                      URL of the token endpoint, used by the grants.
                  revocation_endpoint:
                    type: string
                    format: uri
@ -101,6 +100,10 @@ paths:
                      This array MUST contain at least the `authorization_code` and `refresh_token`
                      values, for clients to be able to use the authorization code grant and refresh
                      token grant, respectively.
+
+                      {{% added-in v="1.18" %}} It MAY also contain
+                      `urn:ietf:params:oauth:grant-type:device_code` to indicate support for the
+                      [device authorization grant](/client-server-api/#device-authorization-grant).
                    items:
                      type: string
                      description: A grant type that the server supports.
@ -165,6 +168,14 @@ paths:
                        - "org.matrix.account_deactivate"
                        - "org.matrix.cross_signing_reset"
                      description: An action that the account management URL supports.
+                  device_authorization_endpoint:
+                    x-addedInMatrixVersion: "1.18"
+                    type: string
+                    format: uri
+                    description: |-
+                      URL of the device authorization endpoint, as defined in
+                      [RFC 8628](https://datatracker.ietf.org/doc/html/rfc8628), necessary to use
+                      the [device authorization grant](/client-server-api/#device-authorization-grant).
                required:
                  - issuer
                  - authorization_endpoint
@ -180,9 +191,10 @@ paths:
                  "authorization_endpoint": "https://account.example.com/oauth2/auth",
                  "token_endpoint": "https://account.example.com/oauth2/token",
                  "registration_endpoint": "https://account.example.com/oauth2/clients/register",
+                  "device_authorization_endpoint": "https://account.example.com/oauth2/device",
                  "revocation_endpoint": "https://account.example.com/oauth2/revoke",
                  "response_types_supported": ["code"],
-                  "grant_types_supported": ["authorization_code", "refresh_token"],
+                  "grant_types_supported": ["authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code"],
                  "response_modes_supported": ["query", "fragment"],
                  "code_challenge_methods_supported": ["S256"],
                  "account_management_uri": "https://account.example.com/manage",
--- a/data/api/server-server/query.yaml
+++ b/data/api/server-server/query.yaml
@ -111,22 +111,26 @@ paths:
      summary: Query for profile information about a given user
      description: |-
        Performs a query to get profile information, such as a display name or avatar,
-        for a given user. Homeservers should only query profiles for users that belong
+        for a given user. Homeservers MUST only query profiles for users that belong
        to the target server (identified by the [server name](/appendices/#server-name)
        in the user ID).

-        Servers may wish to cache the response to this query to avoid requesting the
-        information too often.
+        Responding servers MAY
+          - allow users to set arbitrary key/value pairs in their profile in addition to the
+            specified pairs
+          - deny profile look-up over federation by responding with 403 and an error code of
+            `M_FORBIDDEN`
+          - omit certain key/value pairs in the response

-        Servers MAY deny profile look-up over federation by responding with 403 and an
-        error code of `M_FORBIDDEN`.
+        Requesting servers MAY wish to cache the response to this query to avoid requesting the
+        information too often.
      operationId: queryProfile
      security:
        - signedRequest: []
      parameters:
        - in: query
          name: user_id
-          description: The user ID to query. Must be a user local to the receiving homeserver.
+          description: The user ID to query. MUST be a user local to the receiving homeserver.
          required: true
          example: "@someone:example.org"
          schema:
@ -134,24 +138,24 @@ paths:
        - in: query
          name: field
          description: |-
-            The field to query. If specified, the server will only return the given field
-            in the response. If not specified, the server will return the full profile for
-            the user.
+            The field of the profile to query. If specified, the server MUST only return the
+            given field in the response. If not specified, the server MUST return the full,
+            public, profile for the user.
+
+            Defined values are `displayname`, `avatar_url` and `m.tz`. In addition to these
+            servers MAY allow users to set additional key/value pairs.
          schema:
            type: string
-            enum:
-              - displayname
-              - avatar_url
      responses:
        "200":
          description: |-
            The profile for the user. If a `field` is specified in the request, only the
-            matching field should be included in the response. If no `field` was specified,
-            the response should include the fields of the user's profile that can be made
+            matching field MUST included in the response. If no `field` was specified,
+            the response MUST include the fields of the user's profile that can be made
            public, such as the display name and avatar.

            If the user does not have a particular field set on their profile, the server
-            should exclude it from the response body or give it the value `null`.
+            MUST either exclude it from the response body or give it the value `null`.
          content:
            application/json:
              schema:
@ -160,20 +164,20 @@ paths:
                  displayname:
                    type: string
                    description: |-
-                      The display name of the user. May be omitted if the user does not have a
-                      display name set.
+                      The display name of the user. MUST either be omitted or set to `null` if
+                      the user does not have a display name set.
                    example: John Doe
                  avatar_url:
                    type: string
                    description: |-
-                      The avatar URL for the user's avatar. May be omitted if the user does not
-                      have an avatar set.
-                    example: mxc://matrix.org/MyC00lAvatar
+                      The avatar URL for the user's avatar. MUST either be omitted or set to
+                      `null` if the user does not have an avatar set.
+                    example: mxc://example.org/MyC00lAvatar
              examples:
                response:
                  value: {
                    "displayname": "John Doe",
-                    "avatar_url": "mxc://matrix.org/MyC00lAvatar"
+                    "avatar_url": "mxc://example.org/MyC00lAvatar"
                  }
        "403":
          x-addedInMatrixVersion: "1.12"
@ -190,7 +194,7 @@ paths:
                    "error": "Profile lookup over federation is disabled on this homeserver"
                  }
        "404":
-          description: The user does not exist or does not have a profile.
+          description: The user does not exist, does not have a profile or the queried field does not exist.
          content:
            application/json:
              schema:
Author	SHA1	Message	Date
famfo	2a3a0d8862	Merge `ca801d1751` into `3e1cbe12f7`	2026-03-17 11:35:20 -06:00
Hugh Nimmo-Smith	3e1cbe12f7	Order error codes and remove duplicate M_THREEPID_IN_USE definition (#2336 ) Some checks are pending Spec / 🔎 Validate OpenAPI specifications (push) Waiting to run Details Spec / 🔎 Check Event schema examples (push) Waiting to run Details Spec / 🔎 Check OpenAPI definitions examples (push) Waiting to run Details Spec / 🔎 Check JSON Schemas inline examples (push) Waiting to run Details Spec / ⚙️ Calculate baseURL for later jobs (push) Waiting to run Details Spec / 🐍 Build OpenAPI definitions (push) Blocked by required conditions Details Spec / 📢 Run towncrier for changelog (push) Waiting to run Details Spec / 📖 Build the spec (push) Blocked by required conditions Details Spec / 🔎 Validate generated HTML (push) Blocked by required conditions Details Spec / 📖 Build the historical backup spec (push) Blocked by required conditions Details Spec / Create release (push) Blocked by required conditions Details Spell Check / Spell Check with Typos (push) Waiting to run Details * Order error codes alphabetically * Remove duplicated definition of M_THREEPID_IN_USE * Changelog * With inline comments about keeping them ordered	2026-03-17 11:35:06 -06:00
Hugh Nimmo-Smith	4f079f8a9c	Spec for MSC4341: Support for RFC 8628 Device Authorization Grant (#2320 ) Some checks are pending Spec / 🔎 Validate OpenAPI specifications (push) Waiting to run Details Spec / 🔎 Check Event schema examples (push) Waiting to run Details Spec / 🔎 Check OpenAPI definitions examples (push) Waiting to run Details Spec / 🔎 Check JSON Schemas inline examples (push) Waiting to run Details Spec / ⚙️ Calculate baseURL for later jobs (push) Waiting to run Details Spec / 🐍 Build OpenAPI definitions (push) Blocked by required conditions Details Spec / 📢 Run towncrier for changelog (push) Waiting to run Details Spec / 📖 Build the spec (push) Blocked by required conditions Details Spec / 🔎 Validate generated HTML (push) Blocked by required conditions Details Spec / 📖 Build the historical backup spec (push) Blocked by required conditions Details Spec / Create release (push) Blocked by required conditions Details Spell Check / Spell Check with Typos (push) Waiting to run Details * MSC4341 * Don't use TV as an example * verification_uri_complete clarification Co-authored-by: Quentin Gliech <quenting@element.io> * Add context about use on desktop applications * Iterate * Update data/api/client-server/oauth_server_metadata.yaml * Update content/client-server-api/_index.md Co-authored-by: Kévin Commaille <76261501+zecakeh@users.noreply.github.com> * Address review feedback --------- Co-authored-by: Quentin Gliech <quenting@element.io> Co-authored-by: Kévin Commaille <76261501+zecakeh@users.noreply.github.com>	2026-03-17 10:13:44 -06:00
famfo	ca801d1751	s2s/query: clarify profile behaviour and API responses Signed-off-by: famfo <famfo@famfo.xyz>	2026-03-06 21:09:59 +01:00
				`@ -0,0 +1 @@`
				`Add the OAuth 2.0 Device Authorization Grant (RFC 8628) as a supported grant type, as per [MSC4341](https://github.com/matrix-org/matrix-spec-proposals/pull/4341).`
				`@ -0,0 +1 @@`
				Order the common and other error codes alphabetically and remove duplicate `M_THREEPID_IN_USE` definition.
				`@ -0,0 +1 @@`
				`Order the standard error codes alphabetically.`
				`@ -0,0 +1 @@`
				`Clarify the s2s profile query behaviour and responses.`