-
Notifications
You must be signed in to change notification settings - Fork 386
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC3824: OIDC aware clients #3824
Open
hughns
wants to merge
17
commits into
main
Choose a base branch
from
hughns/sso-redirect-action
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
17 commits
Select commit
Hold shift + click to select a range
138f00b
Add an optional query parameter to SSO redirect
hughns 5cba2ff
MSC3824
hughns ca78691
Update proposals/3824-sso-redirect-action.md
hughns 3a67748
Add supported actions per auth type
hughns 1b10fa9
Add GET /_matrix/client/v3/register alternative
hughns 0cd72c6
Rework proposal to be about OIDC aware clients
hughns 8adb0ff
Rename proposal file
hughns e98fc13
Use _ formatted flag name
hughns ccf6b1b
Fixes to Homeserver and Client requirements list
hughns 13e7f44
RECOMMENDED: label SSO button as "Continue"
hughns 262b395
Use unstable prefix for action query param
hughns c2ab31f
Reference to MSC3861
hughns 5bee189
Update proposals/3824-oidc-aware-clients.md
hughns 0eea9ae
Style
hughns eec93e1
Reorganise requiremetns
hughns 54b3e85
Add 3pid and session management requirements
hughns a7ecdfd
Update account management/web UI link parameters for consistency with…
hughns File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
# MSC3824: OIDC aware clients | ||
|
||
This proposal is part of the broader [MSC3861: Matrix architecture change to delegate authentication via OIDC](https://github.com/matrix-org/matrix-spec-proposals/pull/2967). | ||
|
||
In the context of [MSC2964](https://github.com/matrix-org/matrix-doc/pull/2964) we can define four types of client: | ||
|
||
1. *OIDC native client* - This is a client that, where the homeserver supports it, talks to the specified OpenID Provider in order to complete login and registration. e.g. Element X (WIP), Hydrogen (WIP) | ||
1. *OIDC aware client* - This is a client that is aware of OIDC but will still use existing auth types (e.g. `m.login.sso`) to auth with an OIDC enabled homeserver. | ||
1. *Legacy client with SSO support* - This is a client that is not aware of OIDC but does support `m.login.sso` flow. e.g. Element Web, iOS, Android, Fluffy, Nheko, Cinny | ||
1. *Legacy client without SSO support* - This is a client that is not aware of OIDC at all and nor does it support `m.login.sso` flow. Typically auth is done via `m.login.password` only. e.g. Fractal | ||
|
||
The purpose of differentiating #2 and #3 is that, for a Legacy client with SSO support, the user journey can be optimised with minimal modifications when talking to an OIDC enabled homeserver. | ||
|
||
This proposal outlines changes to facilitate clients in becoming OIDC aware. | ||
|
||
## Proposal | ||
|
||
Firstly, a client can specify which action the user is wanting to achieve at the point of SSO redirection. This allows the homeserver to display the most relevant UI to the user. | ||
|
||
Secondly, the homeserver can optionally specify which auth type is `delegated_oidc_compatibility` are supported for an authentication type. | ||
|
||
### Homeserver indicates that an `m.login.sso` flow is for compatibility | ||
|
||
Add an optional `delegated_oidc_compatibility` field to the response of `GET /_matrix/client/v3/login`: | ||
|
||
`"delegated_oidc_compatibility"?: boolean` | ||
|
||
For example, if a homeserver is advertising password login for legacy clients only then it could return the following: | ||
|
||
```json | ||
{ | ||
"flows": [{ | ||
"type": "m.login.password" | ||
}, { | ||
"type": "m.login.sso", | ||
"delegated_oidc_compatibility": true | ||
}] | ||
} | ||
|
||
``` | ||
|
||
If the client finds `delegated_oidc_compatibility` to be `true` then, assuming it supports that auth type, it should present this as the only login/registration method available to the user. | ||
|
||
### Client indicates `action` on SSO redirect | ||
|
||
Add an optional query parameter `action` to `GET /_matrix/client/v3/login/sso/redirect` and `GET /_matrix/client/v3/login/sso/redirect/{idpId}` with meaning: | ||
|
||
- `login` - the SSO redirect is for the purposes of signing an existing user in | ||
- `register` - the SSO redirect is for the purpose of registering a new user account | ||
|
||
e.g. `https://matrix-client.matrix.org/_matrix/client/v3/login/sso/redirect?action=register` | ||
|
||
n.b. we don't need to add this to the [Login Fallback](https://spec.matrix.org/v1.2/client-server-api/#login-fallback) as that isn't used for registration. | ||
|
||
### Definition of OIDC aware | ||
|
||
For a client to be considered fully *OIDC aware* it **must**: | ||
|
||
- support the `m.login.sso` auth flow | ||
- where a `delegated_oidc_compatibility` value of `true` is present on an `m.login.sso` then *only* offer that auth flow to the user | ||
- append `action=login` and `action=register` parameters to the SSO redirect URLs | ||
- link users to manage their account at the OpenID Provider web UI given by [MSC2965](https://github.com/matrix-org/matrix-spec-proposals/pull/2965) instead of native UI | ||
- check and honour the `m.3pid_changes` [capability](https://spec.matrix.org/v1.7/client-server-api/#m3pid_changes-capability) so that the user is not offered the ability to add or remove 3PIDs when OIDC is used | ||
- if the user wishes to sign out a device session other than it's own then the client **must**: | ||
- link the user to the OpenID Provider web UI given by [MSC2965](https://github.com/matrix-org/matrix-spec-proposals/pull/2965) if provided | ||
- append the `action` and `device_id` to the web UI link parameters described by [MSC2965](https://github.com/sandhose/matrix-doc/blob/msc/sandhose/oidc-discovery/proposals/2965-oidc-discovery.md#account-management-url-parameters) so that the web UI knows that the user wishes to sign out a device and which one it is. e.g. `?action=session_end&device_id=<device_id>` | ||
|
||
Optionally, an *OIDC aware* client **could**: | ||
|
||
- label the SSO button as "Continue" | ||
- pass other [query parameters for context](https://github.com/sandhose/matrix-doc/blob/msc/sandhose/oidc-discovery/proposals/2965-oidc-discovery.md#account-management-url-parameters) when linking to the account web UI | ||
|
||
For an OIDC enabled homeserver to provide support for *OIDC aware* clients it **must**: | ||
|
||
- support OIDC delegation as per [MSC2964](https://github.com/matrix-org/matrix-spec-proposals/pull/2964) and others | ||
- provide a compatibility layer for `m.login.password` and `m.login.sso` that wraps on to OIDC | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is it defined how |
||
- indicate that the `m.login.sso` is preferred by setting `delegated_oidc_compatibility` to `true` | ||
- make use of the `action` param on the SSO redirect endpoints | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Make use of it to do what? |
||
|
||
Additionally, the homeserver **should**: | ||
|
||
- advertise the account management UI in accordance with [MSC2965](https://github.com/matrix-org/matrix-spec-proposals/pull/2965) | ||
|
||
## Potential issues | ||
|
||
None. | ||
|
||
## Alternatives | ||
|
||
Clients could assume that an `m.login.sso` is preferred directly from where [MSC2965](https://github.com/matrix-org/matrix-spec-proposals/pull/2965) OpenID Provider discovery indicates OIDC is being used. However, this might hamper some more custom configuration. | ||
|
||
The homeserver could only offer `m.login.sso` as the supported auth type but this would prevent non-SSO capable legacy clients from accessing the homeserver. | ||
|
||
[Capabilities negotiation](https://spec.matrix.org/v1.2/client-server-api/#capabilities-negotiation) could be used to indicate that `m.login.sso` is preferred. | ||
|
||
For the param on redirect: a `prompt` parameter with values [`create`](https://openid.net/specs/openid-connect-prompt-create-1_0.html#rfc.section.4) and [`login`](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) exists in OIDC for use on the authorized endpoint. However, our use case is different and it might cause confusion to overload these terms. | ||
|
||
## Security considerations | ||
|
||
None relevant. | ||
|
||
## Unstable prefix | ||
|
||
While this feature is in development the following unstable prefixes should be used: | ||
|
||
- `delegated_oidc_compatibility` --> `org.matrix.msc3824.delegated_oidc_compatibility` | ||
- `action` query param --> `org.matrix.msc3824.action` | ||
|
||
## Dependencies | ||
|
||
This MSC depends on the following MSCs, which at the time of writing have not yet | ||
been accepted into the spec: | ||
|
||
- [MSC2964](https://github.com/matrix-org/matrix-spec-proposals/pull/2964): Delegation of auth from homeserver to OIDC Provider | ||
- [MSC2965](https://github.com/matrix-org/matrix-spec-proposals/pull/2965): OIDC Provider discovery |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'm missing something -- how would the client know whether it is logging in or registering?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The user would have told the client if they already have a Matrix account or not.
For example, by clicking buttons labelled as such.