Skip to content

MSC2964: Usage of OAuth 2.0 authorization code grant and refresh token grant#2964

Merged
turt2live merged 42 commits intomatrix-org:mainfrom
sandhose:msc/sandhose/oauth2-profile
Apr 5, 2025
Merged

MSC2964: Usage of OAuth 2.0 authorization code grant and refresh token grant#2964
turt2live merged 42 commits intomatrix-org:mainfrom
sandhose:msc/sandhose/oauth2-profile

Conversation

@sandhose
Copy link
Member

@sandhose sandhose commented Jan 14, 2021
edited by turt2live
Loading

Rendered

Related: matrix-org/matrix-spec#636

Status:

  • Spec is feature complete
  • Reviewed for consistency with MSC3861
  • Implementations believed to be complete enough

Part of the following proposal:

Implementations:

Homeservers

Clients

In OIDC-native mode:

SCT stuff:

checklist

FCP tickyboxes

@turt2live turt2live changed the title MSC2964: [WIP] Matrix profile for OAuth 2.0 [WIP] MSC2964: Matrix profile for OAuth 2.0 Jan 14, 2021
@turt2live turt2live marked this pull request as draft January 14, 2021 17:27
@turt2live turt2live added kind:feature MSC for not-core and not-maintenance stuff proposal A matrix spec change proposal labels Jan 14, 2021
@sandhose
Copy link
Member Author

sandhose commented Jan 15, 2021

Related issue: matrix-org/matrix-spec#636

Related MSCs: #2965, #2966, #2967

In this MSC, there are a few areas that still need work.

First, it outlines different profiles of clients. One important client type that is not yet covered by it are CLI tools.
The natural fit for this would be the client credential grant, taking form of either a client_secret or a secret key for JWT signing.
The problem with this is that it authenticates as "the client", not a user. How users should delegate authorization to other clients is a bit unclear. Maybe RFC 8693 helps with that.

Second, there are the parts that we enforce.
For example, I chose to enforce PKCE for public clients. Since most of Matrix clients are public, I think it makes sense to enforce the current best practices here.
Another example would be credentials for confidential clients. Right now nothing is specified, but it might make sense to encourage the usage of keypairs instead of client secrets. If we encourage that, should it be enforced?
Last example, in the part about the request to the authz endpoint, I mention that the state parameter should be unpredictable. Some profiles go further than that to enforce a minimum entropy for this parameter.

Third there is device handling in general. MSC2967 talks a bit about this, but there will definitely be some changes to the device API.
An example of this is that we might want to surface client metadata when querying the devices instead of just an arbitrary name.
Another open question is should a device be deleted on logout? If so, how do we handle device that are used by multiple clients (which is technically possible with the solution proposed in #2967)?

Sorunome
Sorunome reviewed Jan 15, 2021
View reviewed changes
Sorunome
Sorunome reviewed Jan 15, 2021
View reviewed changes
Sorunome
Sorunome reviewed Jan 15, 2021
View reviewed changes
Sorunome
Sorunome reviewed Jan 15, 2021
View reviewed changes
Sorunome
Sorunome reviewed Jan 16, 2021
View reviewed changes
@turt2live turt2live added the needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. label Jun 8, 2021
@richvdh richvdh mentioned this pull request Jun 16, 2021
Merged
@richvdh richvdh mentioned this pull request Dec 20, 2021
Open
@thejhh thejhh mentioned this pull request Apr 25, 2022
Open
ShadowJonathan
ShadowJonathan reviewed May 16, 2022
View reviewed changes
@hughns hughns mentioned this pull request May 25, 2022
Open
@hughns hughns changed the title [WIP] MSC2964: Matrix profile for OAuth 2.0 [WIP] MSC2964: Delegation of auth from homeserver to OIDC Provider May 25, 2022
@hughns hughns mentioned this pull request Aug 4, 2022
Merged
dhenneke
dhenneke reviewed Jan 30, 2023
View reviewed changes
dhenneke
dhenneke reviewed Jan 30, 2023
View reviewed changes
anoadragon453
anoadragon453 approved these changes Mar 23, 2025
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All non-blocking concerns.

sandhose and others added 2 commits March 25, 2025 11:01
@sandhose @anoadragon453
Clarify that code_verifier should be cryptographically random
f993d4d 
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
@sandhose @anoadragon453
Typo
374018a 
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
clokep
clokep reviewed Mar 25, 2025
View reviewed changes
@anoadragon453
Copy link
Member

anoadragon453 commented Mar 31, 2025

@mscbot resolve FCP checklist incomplete

@mscbot
Copy link
Collaborator

mscbot commented Mar 31, 2025

🔔 This is now entering its final comment period, as per the review above. 🔔

@mscbot mscbot added final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. and removed proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. unresolved-concerns This proposal has at least one outstanding concern labels Mar 31, 2025
@turt2live turt2live moved this from Ready for FCP ticks to In FCP in Spec Core Team Workflow Mar 31, 2025
@mscbot
Copy link
Collaborator

mscbot commented Apr 5, 2025

The final comment period, with a disposition to merge, as per the review above, is now complete.

@mscbot mscbot added finished-final-comment-period and removed disposition-merge final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. labels Apr 5, 2025
@turt2live turt2live merged commit 52db4c6 into matrix-org:main Apr 5, 2025
1 check passed
@turt2live turt2live moved this from In FCP to Requires spec writing in Spec Core Team Workflow Apr 5, 2025
@turt2live turt2live added spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec and removed finished-final-comment-period labels Apr 5, 2025
@NinekoTheCat NinekoTheCat mentioned this pull request Apr 18, 2025
Open
@zecakeh zecakeh mentioned this pull request May 24, 2025
Merged
3 tasks
@zecakeh
Copy link
Contributor

zecakeh commented May 25, 2025

spec PR: matrix-org/matrix-spec#2150

@tulir tulir added spec-pr-in-review A proposal which has been PR'd against the spec and is in review and removed spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec labels May 25, 2025
@turt2live turt2live moved this from Requires spec writing to Requires spec PR review in Spec Core Team Workflow Jun 10, 2025
@richvdh
Copy link
Member

richvdh commented Jun 20, 2025

spec PR: matrix-org/matrix-spec#2150

merged! 🎉

@richvdh richvdh added merged A proposal whose PR has merged into the spec! and removed spec-pr-in-review A proposal which has been PR'd against the spec and is in review labels Jun 20, 2025
@turt2live turt2live moved this from Requires spec PR review to Done to some definition in Spec Core Team Workflow Jun 20, 2025
noelportillo
noelportillo reviewed Aug 14, 2025
View reviewed changes
Copy link

@noelportillo noelportillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect thank you

@krille-chan krille-chan mentioned this pull request Nov 4, 2025
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turt2live turt2live turt2live left review comments

@ara4n ara4n ara4n left review comments

@dbkr dbkr dbkr left review comments

@hughns hughns hughns left review comments

@clokep clokep clokep left review comments

@anoadragon453 anoadragon453 anoadragon453 approved these changes

@richvdh richvdh richvdh approved these changes

+10 more reviewers

@deepbluev7 deepbluev7 deepbluev7 left review comments

@noelportillo noelportillo noelportillo left review comments

@Johennes Johennes Johennes left review comments

@Sorunome Sorunome Sorunome left review comments

@zecakeh zecakeh zecakeh left review comments

@tonkku107 tonkku107 tonkku107 left review comments

@dhenneke dhenneke dhenneke left review comments

@MTRNord MTRNord MTRNord left review comments

@kate-shine kate-shine kate-shine left review comments

@ShadowJonathan ShadowJonathan ShadowJonathan left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

kind:core MSC which is critical to the protocol's success matrix-2.0 Required for Matrix 2.0 merged A proposal whose PR has merged into the spec! proposal A matrix spec change proposal

Projects

Spec Core Team Workflow
Status: Merged/Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.