mirror of
https://github.com/matrix-org/matrix-spec
synced 2026-04-30 14:14:09 +02:00
Compare commits
4 commits
f17c68ea45
...
46763d7266
| Author | SHA1 | Date | |
|---|---|---|---|
|
46763d7266 | ||
|
|
32b1f0514d | ||
|
|
c46a813ad2 | ||
|
|
7cdf667992 |
1
changelogs/client_server/newsfragments/2149.feature
Normal file
1
changelogs/client_server/newsfragments/2149.feature
Normal file
|
|
@ -0,0 +1 @@
|
|||
Add the OAuth 2.0 based authentication API, as per [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) and its sub-proposals.
|
||||
1
changelogs/client_server/newsfragments/2158.feature
Normal file
1
changelogs/client_server/newsfragments/2158.feature
Normal file
|
|
@ -0,0 +1 @@
|
|||
Add `/_matrix/client/v1/room_summary/{roomIdOrAlias}` and extend `/_matrix/client/v1/rooms/{roomId}/hierarchy` with the new optional properties `allowed_room_ids`, `encryption` and `room_version` as per [MSC3266](https://github.com/matrix-org/matrix-spec-proposals/pull/3266).
|
||||
|
|
@ -1481,6 +1481,96 @@ MAY reject weak passwords with an error code `M_WEAK_PASSWORD`.
|
|||
|
||||
### OAuth 2.0 API
|
||||
|
||||
#### Scope
|
||||
|
||||
The client requests a scope in the OAuth 2.0 authorization flow, which is then
|
||||
associated to the generated access and refresh tokens. This provides a framework
|
||||
for obtaining user consent.
|
||||
|
||||
A scope is defined in [RFC 6749 section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)
|
||||
as a string containing a list of space-separated scope tokens.
|
||||
|
||||
{{% boxes/note %}}
|
||||
The framework encourages the practice of obtaining additional user consent when
|
||||
a client asks for a new scope that was not granted previously. This could be
|
||||
used by future MSCs to replace the legacy [User-Interactive Authentication API](#user-interactive-authentication-api).
|
||||
{{% /boxes/note %}}
|
||||
|
||||
##### Scope token format
|
||||
|
||||
All scope tokens related to Matrix should start with `urn:matrix:` and use the
|
||||
`:` delimiter for further sub-division.
|
||||
|
||||
Scope tokens related to mapping of Client-Server API access levels should start
|
||||
with `urn:matrix:client:`.
|
||||
|
||||
{{% boxes/note %}}
|
||||
For MSCs that build on this namespace, unstable subdivisions should be used
|
||||
whilst in development. For example, if MSCXXXX wants to introduce the
|
||||
`urn:matrix:client:foo` scope, it could use
|
||||
`urn:matrix:client:com.example.mscXXXX.foo` during development.
|
||||
If it needs to introduce multiple scopes, like `urn:matrix:client:foo` and
|
||||
`urn:matrix:client:bar`, it could use
|
||||
`urn:matrix:client:com.example.mscXXXX:foo` and
|
||||
`urn:matrix:client:com.example.mscXXXX:bar`.
|
||||
{{% /boxes/note %}}
|
||||
|
||||
##### Allocated scope tokens
|
||||
|
||||
This specification defines the following scope tokens:
|
||||
- [`urn:matrix:client:api:*`](#full-client-server-api-readwrite-access)
|
||||
- [`urn:matrix:client:device:<device_id>`](#device-id-allocation)
|
||||
|
||||
###### Full client-server API read/write access
|
||||
|
||||
| Scope | Purpose |
|
||||
|---------------------------|---------------------------------------------|
|
||||
| `urn:matrix:client:api:*` | Grants full access to the Client-Server API |
|
||||
|
||||
{{% boxes/note %}}
|
||||
This token matches the behavior of the legacy authentication API. Future MSCs
|
||||
could introduce more fine-grained scope tokens like
|
||||
`urn:matrix:client:api:read:*` for read-only access.
|
||||
{{% /boxes/note %}}
|
||||
|
||||
###### Device ID allocation
|
||||
|
||||
| Scope | Purpose |
|
||||
|----------------------------------------|----------------------------------------------------------------------------------------------|
|
||||
| `urn:matrix:client:device:<device_id>` | Allocates the given `device_id` and associates it to the generated access and refresh tokens |
|
||||
|
||||
Contrary to the legacy login and registration APIs where the homeserver is
|
||||
typically the one generating a `device_id` and providing it to the client, with
|
||||
the OAuth 2.0 API, the client is responsible for allocating the `device_id`.
|
||||
|
||||
There MUST be exactly one `urn:matrix:client:device:<device_id>` token in the
|
||||
requested scope in the login flow.
|
||||
|
||||
When generating a new `device_id`, the client SHOULD generate a random string
|
||||
with enough entropy. It SHOULD only use characters from the unreserved character
|
||||
list defined by [RFC 3986 section 2.3](https://datatracker.ietf.org/doc/html/rfc3986#section-2.3):
|
||||
|
||||
```
|
||||
unreserved = a-z / A-Z / 0-9 / "-" / "." / "_" / "~"
|
||||
```
|
||||
|
||||
Using this alphabet, a 10 character string is enough to stand a sufficient
|
||||
chance of being unique per user. The homeserver MAY reject a request for a
|
||||
`device_id` that is not long enough or contains characters outside the
|
||||
unreserved list.
|
||||
|
||||
In any case it MUST only use characters allowed by the OAuth 2.0 scope
|
||||
definition in [RFC 6749 section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3),
|
||||
which is defined as the following ASCII ranges:
|
||||
|
||||
```
|
||||
%x21 / %x23-5B / %x5D-7E
|
||||
```
|
||||
|
||||
This definition matches:
|
||||
- alphanumeric characters: `A-Z`, `a-z`, `0-9`
|
||||
- the following characters: ``! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ ] ^ _ ` { | } ~``
|
||||
|
||||
### Account moderation
|
||||
|
||||
#### Account locking
|
||||
|
|
|
|||
|
|
@ -17,6 +17,8 @@ title: "PublishedRoomsChunk"
|
|||
properties:
|
||||
canonical_alias:
|
||||
type: string
|
||||
format: mx-room-alias
|
||||
pattern: "^#"
|
||||
description: The canonical alias of the room, if any.
|
||||
example: "#general:example.org"
|
||||
name:
|
||||
|
|
@ -29,6 +31,8 @@ properties:
|
|||
example: 42
|
||||
room_id:
|
||||
type: string
|
||||
format: mx-room-id
|
||||
pattern: "^!"
|
||||
description: The ID of the room.
|
||||
example: "!abcdefg:example.org"
|
||||
topic:
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ allOf:
|
|||
type: array
|
||||
items:
|
||||
type: string
|
||||
format: mx-room-id
|
||||
pattern: "^!"
|
||||
description: |-
|
||||
If the room is a [restricted room](/server-server-api/#restricted-rooms), these are the room IDs which
|
||||
are specified by the join rules. Empty or omitted otherwise.
|
||||
|
|
|
|||
|
|
@ -46,7 +46,13 @@ paths:
|
|||
required: true
|
||||
example: "#monkeys:matrix.org"
|
||||
schema:
|
||||
type: string
|
||||
oneOf:
|
||||
- type: string
|
||||
format: mx-room-id
|
||||
pattern: "^!"
|
||||
- type: string
|
||||
format: mx-room-alias
|
||||
pattern: "^#"
|
||||
- in: query
|
||||
name: via
|
||||
description: |-
|
||||
|
|
@ -60,6 +66,7 @@ paths:
|
|||
type: array
|
||||
items:
|
||||
type: string
|
||||
format: mx-server-name
|
||||
responses:
|
||||
"200":
|
||||
description: A summary of the room.
|
||||
|
|
|
|||
Loading…
Reference in a new issue