Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-05-02 07:04:09 +02:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Compare commits

base: Filip:665fb3d9b018b4050a5efdfa413044943d31673e
Branches Tags
Filip:main
Filip:anoa/mention_messages
Filip:release/v1.18
Filip:release/v1.17
Filip:release/v1.16
Filip:release/v1.15
Filip:release/1.14
Filip:release/v1.13
Filip:release/v1.12
Filip:release/v1.11
Filip:tulir/msc4142
Filip:release/v1.10
Filip:travis/msc2702-msc2701
Filip:rav/ref_objects_in_params
Filip:dkasak/foldable-sidebar
Filip:travis/knock-join
Filip:release/v1.9
Filip:release/v1.8
Filip:anoa/update_docsy
Filip:anoa/nix_flake
Filip:dbkr/3077-multi-stream-voip
Filip:release/v1.7
Filip:dbkr/2746-reliable-voip
Filip:rav/links_for_object_defs
Filip:release/v1.6
Filip:release/v1.5
Filip:release/v1.4
Filip:anoa/invite_knock_room_state
Filip:release/v1.3
Filip:v1.18
Filip:v1.17
Filip:v1.16
Filip:v1.15
Filip:v1.14
Filip:v1.13
Filip:v1.12
Filip:v1.11
Filip:v1.10
Filip:v1.9
Filip:v1.8
Filip:v1.7
Filip:v1.6
Filip:v1.5
Filip:v1.4
Filip:v1.3
Filip:v1.2
Filip:v1.1
Filip:server_server/r0.1.4
Filip:client_server/r0.6.1
Filip:client_server/r0.6.0
Filip:identity_service/r0.3.0
Filip:server_server/r0.1.3
Filip:application_service/r0.1.2
Filip:push_gateway/r0.1.1
Filip:identity_service/r0.2.1
Filip:client_server/r0.5.0
Filip:server_server/r0.1.2
Filip:identity_service/r0.2.0
Filip:application_service/r0.1.1
Filip:server_server/r0.1.1
Filip:server_server/r0.1.0
Filip:client_server/r0.4.0
Filip:identity_service/r0.1.0
Filip:application_service/r0.1.0
Filip:push_gateway/r0.1.0
Filip:client-server/r0.3.0
Filip:client-server/0.3.0
Filip:client-server/r0.2.0
Filip:client-server/r0.1.0
Filip:r0.0.1
Filip:r0.0.0
Filip:0.2.0
..
compare: Filip:e4df2002a01058e6719af3ed5c7be8d050b40d37
Branches Tags
Filip:main
Filip:anoa/mention_messages
Filip:release/v1.18
Filip:release/v1.17
Filip:release/v1.16
Filip:release/v1.15
Filip:release/1.14
Filip:release/v1.13
Filip:release/v1.12
Filip:release/v1.11
Filip:tulir/msc4142
Filip:release/v1.10
Filip:travis/msc2702-msc2701
Filip:rav/ref_objects_in_params
Filip:dkasak/foldable-sidebar
Filip:travis/knock-join
Filip:release/v1.9
Filip:release/v1.8
Filip:anoa/update_docsy
Filip:anoa/nix_flake
Filip:dbkr/3077-multi-stream-voip
Filip:release/v1.7
Filip:dbkr/2746-reliable-voip
Filip:rav/links_for_object_defs
Filip:release/v1.6
Filip:release/v1.5
Filip:release/v1.4
Filip:anoa/invite_knock_room_state
Filip:release/v1.3
Filip:v1.18
Filip:v1.17
Filip:v1.16
Filip:v1.15
Filip:v1.14
Filip:v1.13
Filip:v1.12
Filip:v1.11
Filip:v1.10
Filip:v1.9
Filip:v1.8
Filip:v1.7
Filip:v1.6
Filip:v1.5
Filip:v1.4
Filip:v1.3
Filip:v1.2
Filip:v1.1
Filip:server_server/r0.1.4
Filip:client_server/r0.6.1
Filip:client_server/r0.6.0
Filip:identity_service/r0.3.0
Filip:server_server/r0.1.3
Filip:application_service/r0.1.2
Filip:push_gateway/r0.1.1
Filip:identity_service/r0.2.1
Filip:client_server/r0.5.0
Filip:server_server/r0.1.2
Filip:identity_service/r0.2.0
Filip:application_service/r0.1.1
Filip:server_server/r0.1.1
Filip:server_server/r0.1.0
Filip:client_server/r0.4.0
Filip:identity_service/r0.1.0
Filip:application_service/r0.1.0
Filip:push_gateway/r0.1.0
Filip:client-server/r0.3.0
Filip:client-server/0.3.0
Filip:client-server/r0.2.0
Filip:client-server/r0.1.0
Filip:r0.0.1
Filip:r0.0.0
Filip:0.2.0

1 commit
665fb3d9b0 ... e4df2002a0

Author SHA1 Message Date
Andrew Morgan e4df2002a0
Merge 715e66fa00 into 54944e2866 2025-12-16 18:10:32 +00:00
8 changed files with 33 additions and 161 deletions
Show stats Expand all files Collapse all files

1
changelogs/application_service/newsfragments/2267.feature
View file

@ -1 +0,0 @@
Allow application services to manage devices and register users without the legacy authentication API, as per [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190).

1
changelogs/client_server/newsfragments/2267.feature
View file

@ -1 +0,0 @@
Allow application services to manage devices and register users without the legacy authentication API, as per [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190).

102
content/application-service-api.md
View file

@ -426,8 +426,6 @@ imports and similar behaviour).
#### Server admin style permissions #### Server admin style permissions
{{% changed-in v="1.17" %}}
The homeserver needs to give the application service *full control* over The homeserver needs to give the application service *full control* over
its namespace, both for users and for room aliases. This means that the its namespace, both for users and for room aliases. This means that the
AS should be able to manage any users and room alias in its namespace. No additional API AS should be able to manage any users and room alias in its namespace. No additional API
@ -444,59 +442,33 @@ achieved by including the `as_token` on a `/register` request, along
with a login type of `m.login.application_service` to set the desired with a login type of `m.login.application_service` to set the desired
user ID without a password. user ID without a password.
```http POST /_matrix/client/v3/register
POST /_matrix/client/v3/register Authorization: Bearer YourApplicationServiceTokenHere
Authorization: Bearer YourApplicationServiceTokenHere
```
```json Content:
{ {
"type": "m.login.application_service", "type": "m.login.application_service",
"username": "_irc_example" "username": "_irc_example"
} }
```
{{% boxes/note %}} Similarly, logging in as users needs API changes in order to allow the AS to
{{% added-in v="1.17" %}} log in without needing the user's password. This is achieved by including the
Servers MUST still allow application services to use the `/register` endpoint `as_token` on a `/login` request, along with a login type of
with a login type of `m.login.application_service` even if they don't support `m.login.application_service`:
the [Legacy Authentication API](/client-server-api/#legacy-api).
In that case application services MUST set the `"inhibit_login": true` parameter
as they cannot use it to log in as users. If the `inhibit_login` parameter is
not set to `true`, the server MUST return a 400 HTTP status code with an
`M_APPSERVICE_LOGIN_UNSUPPORTED` error code.
{{% /boxes/note %}}
Similarly, logging in as users using the [Legacy authentication API](/client-server-api/#legacy-api)
needs API changes in order to allow the AS to log in without needing the user's
password. This is achieved by including the `as_token` on a `/login` request,
along with a login type of `m.login.application_service`:
{{% added-in v="1.2" %}} {{% added-in v="1.2" %}}
```http POST /_matrix/client/v3/login
POST /_matrix/client/v3/login Authorization: Bearer YourApplicationServiceTokenHere
Authorization: Bearer YourApplicationServiceTokenHere
```
```json Content:
{ {
"type": "m.login.application_service", "type": "m.login.application_service",
"identifier": { "identifier": {
"type": "m.id.user", "type": "m.id.user",
"user": "_irc_example" "user": "_irc_example"
} }
} }
```
{{% boxes/note %}}
{{% added-in v="1.17" %}}
Application services MUST NOT use the `/login` endpoint if the server doesn't
support the Legacy authentication API. If `/login` is called with the
`m.login.application_service` login type the server MUST return a 400 HTTP
status code with an `M_APPSERVICE_LOGIN_UNSUPPORTED` error code.
{{% /boxes/note %}}
Application services which attempt to create users or aliases *outside* Application services which attempt to create users or aliases *outside*
of their defined namespaces, or log in as users outside of their defined of their defined namespaces, or log in as users outside of their defined
@ -538,38 +510,6 @@ client-server endpoint.
{{% http-api spec="client-server" api="appservice_room_directory" %}} {{% http-api spec="client-server" api="appservice_room_directory" %}}
#### Device management
{{% added-in v="1.17" %}}
Application services need to be able to create and delete devices to manage the
encryption for their users without having to rely on `/login`, which also
generates an access token for the user, and which might not be available for
homeservers that only support the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
##### Creating devices
Application services can use the [`PUT /_matrix/client/v3/devices/{deviceId}`](/client-server-api/#put_matrixclientv3devicesdeviceid)
endpoint to create new devices.
##### Deleting devices
The following endpoints used to delete devices MUST NOT require [User-Interactive
Authentication](/client-server-api/#user-interactive-authentication-api) when
used by an application service:
* [`DELETE /_matrix/client/v3/devices/{deviceId}`](/client-server-api/#delete_matrixclientv3devicesdeviceid)
* [`POST /_matrix/client/v3/delete_devices`](/client-server-api/#post_matrixclientv3delete_devices)
#### Cross-signing
{{% added-in v="1.17" %}}
Appservices need to be able to verify themselves and replace their cross-signing
keys, so the [`POST /_matrix/client/v3/keys/device_signing/upload`](/client-server-api/#post_matrixclientv3keysdevice_signingupload)
endpoint MUST NOT require [User-Interactive Authentication](/client-server-api/#user-interactive-authentication-api)
when used by an application service, even if cross-signing keys already exist.
### Referencing messages from a third-party network ### Referencing messages from a third-party network
Application services should include an `external_url` in the `content` Application services should include an `external_url` in the `content`

13
content/client-server-api/_index.md
View file

@ -477,7 +477,8 @@ the API that was used to obtain their current access token.
{{% boxes/note %}} {{% boxes/note %}}
Currently the OAuth 2.0 API doesn't cover all the use cases of the legacy API, Currently the OAuth 2.0 API doesn't cover all the use cases of the legacy API,
such as automated applications that cannot use a web browser. such as automated applications that cannot use a web browser, or
user management by [application services](application-service-api/#server-admin-style-permissions).
{{% /boxes/note %}} {{% /boxes/note %}}
### Authentication API discovery ### Authentication API discovery
@ -501,12 +502,6 @@ user must do that directly in the homeserver's web UI. However, the client can
signal to the homeserver that the user wishes to create a new account with the signal to the homeserver that the user wishes to create a new account with the
[`prompt=create`](#user-registration) parameter during authorization. [`prompt=create`](#user-registration) parameter during authorization.
{{% boxes/note %}}
{{% added-in v="1.17" %}}
Application services can use the `/register` endpoint to create users regardless
of the authentication API supported by the homeserver.
{{% /boxes/note %}}
### Login ### Login
With the legacy API, a client can obtain an access token by using one of the With the legacy API, a client can obtain an access token by using one of the
@ -1567,10 +1562,6 @@ If the access token does correspond to an appservice, but the user id does
not lie within its namespace then the homeserver will respond with an not lie within its namespace then the homeserver will respond with an
errcode of `M_EXCLUSIVE`. errcode of `M_EXCLUSIVE`.
{{% added-in v="1.17" %}} If this login type is used and the server doesn't
support logging in via the Legacy authentication API, it MUST return a 400 HTTP
status code with an `M_APPSERVICE_LOGIN_UNSUPPORTED` error code.
##### Login Fallback ##### Login Fallback
If a client does not recognize any or all login flows it can use the If a client does not recognize any or all login flows it can use the

8
data/api/client-server/cross_signing.yaml
View file

@ -21,17 +21,13 @@ paths:
x-addedInMatrixVersion: "1.1" x-addedInMatrixVersion: "1.1"
x-changedInMatrixVersion: x-changedInMatrixVersion:
"1.11": UIA is not always required for this endpoint. "1.11": UIA is not always required for this endpoint.
"1.17": |-
This endpoint no longer requires User-Interactive Authentication when used by an
application service.
summary: Upload cross-signing keys. summary: Upload cross-signing keys.
description: |- description: |-
Publishes cross-signing keys for the user. Publishes cross-signing keys for the user.
This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api), This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).
except when used by an application service.
User-Interactive Authentication MUST be performed for regular clients, except in these cases: User-Interactive Authentication MUST be performed, except in these cases:
- there is no existing cross-signing master key uploaded to the homeserver, OR - there is no existing cross-signing master key uploaded to the homeserver, OR
- there is an existing cross-signing master key and it exactly matches the - there is an existing cross-signing master key and it exactly matches the
cross-signing master key provided in the request body. If there are any additional cross-signing master key provided in the request body. If there are any additional

45
data/api/client-server/device_management.yaml
View file

@ -87,21 +87,8 @@ paths:
tags: tags:
- Device management - Device management
put: put:
summary: Create or update a device summary: Update a device
x-changedInMatrixVersion: description: Updates the metadata on the given device.
"1.17": The ability to create new devices was added.
description: |-
Updates the metadata on the given device, or creates a new device.
The ability to create new devices is only available to application
services: regular clients may only update existing devices.
When a new device was created, the homeserver MUST return a 201 HTTP
status code. It MUST return a 200 HTTP status code if a device was
updated.
This endpoint is rate-limited for device creation. Servers MAY use login
rate limits.
operationId: updateDevice operationId: updateDevice
security: security:
- accessTokenQuery: [] - accessTokenQuery: []
@ -140,34 +127,19 @@ paths:
examples: examples:
response: response:
value: {} value: {}
"201":
description: |-
The device was successfully created by the application service.
content:
application/json:
schema:
type: object
examples:
response:
value: {}
"404": "404":
description: The current user has no device with the given ID. description: The current user has no device with the given ID.
tags: tags:
- Device management - Device management
delete: delete:
summary: Delete a device summary: Delete a device
x-changedInMatrixVersion:
"1.17": |-
This endpoint no longer requires User-Interactive Authentication when used by an
application service.
description: |- description: |-
This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api), This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).
except when used by an application service.
Deletes the given device, and invalidates any access token associated with it. Deletes the given device, and invalidates any access token associated with it.
{{% boxes/warning %}} {{% boxes/warning %}}
When this endpoint requires User-Interactive Authentication, it cannot be used when the access token was obtained Since this endpoint uses User-Interactive Authentication, it cannot be used when the access token was obtained
via the [OAuth 2.0 API](/client-server-api/#oauth-20-api). via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
{{% /boxes/warning %}} {{% /boxes/warning %}}
operationId: deleteDevice operationId: deleteDevice
@ -218,18 +190,13 @@ paths:
/delete_devices: /delete_devices:
post: post:
summary: Bulk deletion of devices summary: Bulk deletion of devices
x-changedInMatrixVersion:
"1.17": |-
This endpoint no longer requires User-Interactive Authentication when used by an
application service.
description: |- description: |-
This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api), This API endpoint uses the [User-Interactive Authentication API](/client-server-api/#user-interactive-authentication-api).
except when used by an application service.
Deletes the given devices, and invalidates any access token associated with them. Deletes the given devices, and invalidates any access token associated with them.
{{% boxes/warning %}} {{% boxes/warning %}}
When this endpoint requires User-Interactive Authentication, it cannot be used when the access token was obtained Since this endpoint uses User-Interactive Authentication, it cannot be used when the access token was obtained
via the [OAuth 2.0 API](/client-server-api/#oauth-20-api). via the [OAuth 2.0 API](/client-server-api/#oauth-20-api).
{{% /boxes/warning %}} {{% /boxes/warning %}}
operationId: deleteDevices operationId: deleteDevices

9
data/api/client-server/login.yaml
View file

@ -243,13 +243,8 @@ paths:
} }
} }
"400": "400":
description: |- description: Part of the request was invalid. For example, the login type may
Part of the request was invalid. For example, the login type may not be recognised. not be recognised.
Specific error codes used with this status code include:
* {{% added-in v="1.17" %}} `M_APPSERVICE_LOGIN_UNSUPPORTED`: an application service
used the `m.login.application_service` type, but the server doesn't support logging
in via the Legacy authentication API.
content: content:
application/json: application/json:
schema: schema:

15
data/api/client-server/registration.yaml
View file

@ -60,18 +60,6 @@ paths:
Any user ID returned by this API must conform to the grammar given in the Any user ID returned by this API must conform to the grammar given in the
[Matrix specification](/appendices/#user-identifiers). [Matrix specification](/appendices/#user-identifiers).
{{% boxes/note %}}
{{% added-in v="1.17" %}}
Even if the server doesn't support the Legacy authentication API, it
MUST support this endpoint for application services to be able to
[create users](/application-service-api/#server-admin-style-permissions).
In that case application services MUST set the `"inhibit_login": true`
parameter as they cannot use it to log in as users. If the
`inhibit_login` parameter is not set to `true`, the server MUST return a
400 HTTP status code with an `M_APPSERVICE_LOGIN_UNSUPPORTED` error code.
{{% /boxes/note %}}
operationId: register operationId: register
parameters: parameters:
- in: query - in: query
@ -215,9 +203,6 @@ paths:
* `M_INVALID_USERNAME` : The desired user ID is not a valid user name. * `M_INVALID_USERNAME` : The desired user ID is not a valid user name.
* `M_EXCLUSIVE` : The desired user ID is in the exclusive namespace * `M_EXCLUSIVE` : The desired user ID is in the exclusive namespace
claimed by an application service. claimed by an application service.
* {{% added-in v="1.17" %}} `M_APPSERVICE_LOGIN_UNSUPPORTED`: an application service
used the `m.login.application_service` type without setting `inhibit_login` to `true`,
but the server doesn't support logging in via the Legacy authentication API.
These errors may be returned at any stage of the registration process, These errors may be returned at any stage of the registration process,
including after authentication if the requested user ID was registered including after authentication if the requested user ID was registered