Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC3861: Next-generation auth for Matrix, based on OAuth 2.0/OIDC #3861

Draft
wants to merge 15 commits into
base: main
Choose a base branch
from
+236 −0
Draft

MSC3861: Next-generation auth for Matrix, based on OAuth 2.0/OIDC #3861

Changes from 1 commit
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
4521510
Matrix architecture change to delegate authentication via OIDC
hughns Aug 4, 2022
4550bbc
MSC3861
hughns Aug 4, 2022
00cd76d
typoe
ara4n Aug 9, 2022
b684b84
typoes
ara4n Aug 9, 2022
dd60163
typoes
ara4n Aug 9, 2022
9e58990
Add proposal for Matrix.org Foundation to become member of OpenID Fou…
hughns Aug 9, 2022
fb0dfe7
Update proposals/3861-delegated-oidc-architecture.md
hughns Jan 4, 2023
45c0b1c
Move images inline
hughns Feb 8, 2023
ba0c3dc
Use term OpenID Provider
hughns Feb 8, 2023
ef76bfa
Add note about extending UIA as alternative
hughns Feb 9, 2023
4bffdc9
Add reference to related MSCs
hughns Feb 28, 2023
46adfad
Rework the MSC to better explain the rationale for the change
sandhose Sep 11, 2024
ab746d5
Start writing the actual proposal
sandhose Sep 13, 2024
1f1ef22
Remove unused images
sandhose Sep 16, 2024
dc9d84b
Expand on 'why not just OIDC' and fix some typos
sandhose Sep 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
typoes
  • Loading branch information
@ara4n
ara4n authored Aug 9, 2022
commit dd60163d25eced799558382ea6b79c1dc4141bfd
4 changes: 2 additions & 2 deletions proposals/3861-delegated-oidc-architecture.md
View file
Open in desktop
turt2live marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ Specifically it is proposed that the OpenID Connect (OIDC) protocol is chosen to

There are five proposed action points:

1. Accept the set of MSCs to enabled delegation via OIDC.
1. Accept the set of MSCs to enable delegation via OIDC.
1. Deprecate non-OIDC auth related API endpoints or capabilities in existing Matrix APIs.
1. Provide migration support to the ecosystem.
1. Close all existing MSCs relating to non-OIDC as `obsolete`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make sure to check if those are actually solved by this when doing it. There might be some around that OIDC does not fix but actually complicates, like the Concealed login MSC.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a good point. We should spend some time identifying those MSCs sooner than later, and see for each MSC if either:

  • it solves the problem solved by the MSC
  • the tradeoffs are acceptable if it is conceptually orthogonal

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since now half a year went by: is there any update on which mscs are compatible and which aren't?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MTRNord there is a start of a list at https://github.com/matrix-org/matrix-spec-proposals/blob/hughns/delegated-oidc-architecture/proposals/3861-delegated-oidc-architecture.md#alternatives

Expand Down Expand Up @@ -102,7 +102,7 @@ Examples of existing proposals include:
| [MSC1998: Two-Factor Authentication Providers](https://github.com/matrix-org/matrix-spec-proposals/pull/1998)<br>[MSC2271: TOTP 2FA login](https://github.com/matrix-org/matrix-spec-proposals/pull/2271) | OP is free to implement MFA and many do. The [Matrix OIDC Playground](https://github.com/vector-im/oidc-playground) contains a Keycloak configured to demonstrate this |
| [MSC2000: Server-side password policies](https://github.com/matrix-org/matrix-spec-proposals/pull/2000) | Because the UI is served by the OP it is free to implement whatever password policies it sees fit |
| [MSC3105: Previewing UIA flows](https://github.com/matrix-org/matrix-spec-proposals/pull/3105)<br>[MSC3741: Revealing the useful login flows to clients after a soft logout](https://github.com/matrix-org/matrix-spec-proposals/pull/3741) | These become unnecessary as the burdon to implement auth flows is moved away from the client to the OP |
hughns marked this conversation as resolved.
Show resolved Hide resolved
| [MSC3262: aPAKE authentication](https://github.com/matrix-org/matrix-spec-proposals/pull/3262)<br>[MSC2957: Cryptographically Concealed Credentials](https://github.com/matrix-org/matrix-spec-proposals/pull/2957) | This is an interesting one as OIDC explicitly discourages a user from trusting their client with credentials. As such their is no existing flow for PAKEs. To achieve this in OIDC you would need to implement a custom grant in the Client and OP (perhaps an extension of the Resource Owner Password Credentials flow).|
| [MSC3262: aPAKE authentication](https://github.com/matrix-org/matrix-spec-proposals/pull/3262)<br>[MSC2957: Cryptographically Concealed Credentials](https://github.com/matrix-org/matrix-spec-proposals/pull/2957) | This is an interesting one as OIDC explicitly discourages a user from trusting their client with credentials. As such there is no existing flow for PAKEs. To achieve this in OIDC you would need to implement a custom grant in the Client and OP (perhaps an extension of the Resource Owner Password Credentials flow).|
sandhose marked this conversation as resolved.
Show resolved Hide resolved
| [MSC3782: Matrix public key login spec](https://github.com/matrix-org/matrix-spec-proposals/pull/3782) | Similar to above |
| [MSC3744: Support for flexible authentication](https://github.com/matrix-org/matrix-spec-proposals/pull/3744) | OIDC would instead be used as the pluggable layer for auth in Matrix|

Expand Down