MSC2416: Add m.login.jwt authentication type

[Sorunome]

Rendered

Soru is interested in providing a synapse implementation for this.

Signed-off-by: Sorunome mail@sorunome.de

---

SCT Stuff:

FCP closure tickyboxes

No checklist.

[deepbluev7]

I think I would prefer that, since it lets the server know which token validator to use. Otherwise the HS needs to guess, which type of token it has to validate (from what I can tell). It would also make it easier for clients to know, what login token types are supported.

[Sorunome]

Otherwise the HS needs to guess, which type of token it has to validate (from what I can tell).

it could guess, and on failure try other token validators.

[deepbluev7]

Yeah, but while m.login.jwt and m.login.token do follow the same schema, putting them in the same type fails to communicate semantic information. Maybe that isn't an issue in practice, but it would seem like an issue to me as a client dev. How would I know, what token to send to a server? Just try it?

[Sorunome]

Yeah, you could just try it out. That being said, the JWT proposed here would be mainly for appservices to use, probably

[turt2live]

The m.login.token type was removed from the spec in MSC2611 - this MSC will need to address that.

[richvdh]

The m.login.token type was removed from the spec in MSC2611 - this MSC will need to address that.

I think this MSC is talking about login types (ie, the type argument to POST /_matrix/client/r0/login), whereas MSC2611 was about user-interactive authentication types. The two are related but different.

[clokep]

It is also worth noting that m.login.jwt is now deprecated in Synapse and replaced with org.matrix.login.jwt, which is also documented.

[Sorunome]

Updated to introduce m.login.jwt now

[clokep]

It is also worth noting that m.login.jwt is now deprecated in Synapse and replaced with org.matrix.login.jwt, which is also documented.

Synapse has also dropped support for m.login.jwt finally in v1.59.0 (released on 2022-05-17).

[richvdh]

As per matrix-org/matrix-spec#370 (comment): this makes more sense as a custom extension rather than something to spec. (Inherently: if you've acquired a JWT somewhere, then you don't have a regular matrix client, you have a custom deployment which links together your client and server).

In any case, login is being replaced by OAuth2.

@mscbot fcp close

[mscbot]

Team member @richvdh has proposed to close this. The next step is review by the rest of the tagged people:

• @clokep
• @dbkr
• @uhoreg
• @turt2live
• @ara4n
• @anoadragon453
• @richvdh
• @tulir
• @erikjohnston
• @KitsuneRal

Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for information about what commands tagged team members can give me.

[mscbot]

🔔 This is now entering its final comment period, as per the review above. 🔔

[mscbot]

The final comment period, with a disposition to close, as per the review above, is now complete.