Merge ef3d5258e8 into a2a9a02efa

Add OAuth 2.0 scopes (#2149 )
As per MSC2967 Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
2026-04-26 20:44:10 +02:00 · 2025-06-11 09:58:10 +01:00 · 2025-06-11 09:40:17 +01:00 · 2025-05-29 15:45:14 +01:00 · 2025-05-29 15:41:16 +01:00
4 changed files with 97 additions and 11 deletions
--- a/changelogs/client_server/newsfragments/2149.feature
+++ b/changelogs/client_server/newsfragments/2149.feature
@ -0,0 +1 @@
+Add the OAuth 2.0 based authentication API, as per [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) and its sub-proposals.
--- a/changelogs/client_server/newsfragments/2154.clarification
+++ b/changelogs/client_server/newsfragments/2154.clarification
@ -0,0 +1 @@
+Add missing fields in example for `ExportedSessionData`.
--- a/content/client-server-api/_index.md
+++ b/content/client-server-api/_index.md
@ -1481,6 +1481,96 @@ MAY reject weak passwords with an error code `M_WEAK_PASSWORD`.

 ### OAuth 2.0 API

+#### Scope
+
+The client requests a scope in the OAuth 2.0 authorization flow, which is then
+associated to the generated access and refresh tokens. This provides a framework
+for obtaining user consent.
+
+A scope is defined in [RFC 6749 section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
+as a string containing a list of space-separated scope tokens.
+
+{{% boxes/note %}}
+The framework encourages the practice of obtaining additional user consent when
+a client asks for a new scope that was not granted previously. This could be
+used by future MSCs to replace the legacy [User-Interactive Authentication API](#user-interactive-authentication-api).
+{{% /boxes/note %}}
+
+##### Scope token format
+
+All scope tokens related to Matrix should start with `urn:matrix:` and use the
+`:` delimiter for further sub-division.
+
+Scope tokens related to mapping of Client-Server API access levels should start
+with `urn:matrix:client:`.
+
+{{% boxes/note %}}
+For MSCs that build on this namespace, unstable subdivisions should be used
+whilst in development. For example, if MSCXXXX wants to introduce the
+`urn:matrix:client:foo` scope, it could use
+`urn:matrix:client:com.example.mscXXXX.foo` during development.
+If it needs to introduce multiple scopes, like `urn:matrix:client:foo` and
+`urn:matrix:client:bar`, it could use
+`urn:matrix:client:com.example.mscXXXX:foo` and
+`urn:matrix:client:com.example.mscXXXX:bar`.
+{{% /boxes/note %}}
+
+##### Allocated scope tokens
+
+This specification defines the following scope tokens:
+- [`urn:matrix:client:api:*`](#full-client-server-api-readwrite-access)
+- [`urn:matrix:client:device:<device_id>`](#device-id-allocation)
+
+###### Full client-server API read/write access
+
+| Scope                     | Purpose                                     |
+|---------------------------|---------------------------------------------|
+| `urn:matrix:client:api:*` | Grants full access to the Client-Server API. |
+
+{{% boxes/note %}}
+This token matches the behavior of the legacy authentication API. Future MSCs
+could introduce more fine-grained scope tokens like
+`urn:matrix:client:api:read:*` for read-only access.
+{{% /boxes/note %}}
+
+###### Device ID allocation
+
+| Scope                                  | Purpose                                                                                      |
+|----------------------------------------|----------------------------------------------------------------------------------------------|
+| `urn:matrix:client:device:<device_id>` | Allocates the given `device_id` and associates it to the generated access and refresh tokens. |
+
+Contrary to the legacy login and registration APIs where the homeserver is
+typically the one generating a `device_id` and providing it to the client, with
+the OAuth 2.0 API, the client is responsible for allocating the `device_id`.
+
+There MUST be exactly one `urn:matrix:client:device:<device_id>` token in the
+requested scope in the login flow.
+
+When generating a new `device_id`, the client SHOULD generate a random string
+with enough entropy. It SHOULD only use characters from the unreserved character
+list defined by [RFC 3986 section 2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3):
+
+```
+unreserved = a-z / A-Z / 0-9 / "-" / "." / "_" / "~"
+```
+
+Using this alphabet, a 10 character string is enough to stand a sufficient
+chance of being unique per user. The homeserver MAY reject a request for a
+`device_id` that is not long enough or contains characters outside the
+unreserved list.
+
+In any case it MUST only use characters allowed by the OAuth 2.0 scope
+definition in [RFC 6749 section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3),
+which is defined as the following ASCII ranges:
+
+```
+%x21 / %x23-5B / %x5D-7E
+```
+
+This definition matches:
+- alphanumeric characters: `A-Z`, `a-z`, `0-9`
+- the following characters: ``! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ ] ^ _ ` { | } ~``
+
 ### Account moderation

 #### Account locking
--- a/data/api/client-server/definitions/key_backup_session_data.yaml
+++ b/data/api/client-server/definitions/key_backup_session_data.yaml
@ -23,6 +23,7 @@ properties:
    type: string
    description: |-
      The end-to-end message encryption algorithm that the key is for. Must be `m.megolm.v1.aes-sha2`.
+    example: "m.megolm.v1.aes-sha2"
  forwarding_curve25519_key_chain:
    type: array
    items:
@ -30,31 +31,24 @@ properties:
    description: |-
      Chain of Curve25519 keys through which this session was forwarded, via [m.forwarded_room_key](/client-server-api/#mforwarded_room_key)
      events.
+    example: [ "hPQNcabIABgGnx3/ACv/jmMmiQHoeFfuLB17tzWp6Hw" ]
  sender_key:
    type: string
    description: |-
      Unpadded base64-encoded device Curve25519 key.
+    example: "RF3s+E7RkTQTGF2d8Deol0FkQvgII2aJDf3/Jp5mxVU"
  sender_claimed_keys:
    type: object
    additionalProperties:
      type: string
    description: |-
      A map from algorithm name (`ed25519`) to the Ed25519 signing key of the sending device.
+    example: { "ed25519": "aj40p+aw64yPIdsxoog8jhPu9i7l7NcFRecuOQblE3Y" }
  session_key:
    type: string
    description: |-
      Unpadded base64-encoded session key in [session-export format](https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md#session-export-format).
-example: {
-  "algorithm": "m.megolm.v1.aes-sha2",
-  "forwarding_curve25519_key_chain": [
-    "hPQNcabIABgGnx3/ACv/jmMmiQHoeFfuLB17tzWp6Hw"
-  ],
-  "sender_key": "RF3s+E7RkTQTGF2d8Deol0FkQvgII2aJDf3/Jp5mxVU",
-  "sender_claimed_keys": {
-    "ed25519": "aj40p+aw64yPIdsxoog8jhPu9i7l7NcFRecuOQblE3Y",
-  },
-  "session_key": "AgAAAADxKHa9uFxcXzwYoNueL5Xqi69IkD4sni8Llf..."
-}
+    example: "AgAAAADxKHa9uFxcXzwYoNueL5Xqi69IkD4sni8Llf..."
 required:
  - algorithm
  - forwarding_curve25519_key_chain
Author	SHA1	Message	Date
Richard van der Hoff	c06a9fc4ff	Merge `ef3d5258e8` into `a2a9a02efa`	2025-06-11 09:58:10 +01:00
Kévin Commaille	a2a9a02efa	Add OAuth 2.0 scopes (#2149 ) Some checks failed Spec / 🔎 Validate OpenAPI specifications (push) Has been cancelled Details Spec / 🔎 Check Event schema examples (push) Has been cancelled Details Spec / 🔎 Check OpenAPI definitions examples (push) Has been cancelled Details Spec / 🔎 Check JSON Schemas inline examples (push) Has been cancelled Details Spec / ⚙️ Calculate baseURL for later jobs (push) Has been cancelled Details Spec / 📢 Run towncrier for changelog (push) Has been cancelled Details Spell Check / Spell Check with Typos (push) Has been cancelled Details Spec / 🐍 Build OpenAPI definitions (push) Has been cancelled Details Spec / 📖 Build the spec (push) Has been cancelled Details Spec / 🔎 Validate generated HTML (push) Has been cancelled Details Spec / 📖 Build the historical backup spec (push) Has been cancelled Details As per MSC2967 Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>	2025-06-11 09:40:17 +01:00
Richard van der Hoff	ef3d5258e8	changelog	2025-05-29 15:45:14 +01:00
Richard van der Hoff	99361f5b3b	Fix example for `ExportedSessionData` Currently, the example for `ExportedSessionData` is missing values for `room_id` and `session_id`. Move the example field values for `KeyBackupSessionData` into the field definitions, so that an example for the object as a whole is built automatically, and when we extend it to form `ExportedSessionData` the explicit example does not override the more complete autogenerated one.	2025-05-29 15:41:16 +01:00
				`@ -0,0 +1 @@`
				`Add the OAuth 2.0 based authentication API, as per [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) and its sub-proposals.`
				`@ -0,0 +1 @@`
				Add missing fields in example for `ExportedSessionData`.