Skip to content

Commit

Permalink
Use auth header instead of query param for hs->as comms
Browse files Browse the repository at this point in the history
  • Loading branch information
turt2live committed Aug 3, 2022
1 parent b36d4ef commit 97b5702
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 9 deletions.
1 change: 1 addition & 0 deletions changelogs/application_service/newsfragments/1200.breaking
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Replace homeserver authorization approach with an `Authorization` header instead of `access_token` when talking to the application service, as per [MSC2832](https://github.com/matrix-org/matrix-spec-proposals/pull/2832).
26 changes: 21 additions & 5 deletions content/application-service-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -127,11 +127,27 @@ this.

#### Authorization

Homeservers MUST include a query parameter named `access_token`
containing the `hs_token` from the application service's registration
when making requests to the application service. Application services
MUST verify the provided `access_token` matches their known `hs_token`,
failing the request with an `M_FORBIDDEN` error if it does not match.
{{% changed-in v="1.4" %}}

Homeservers MUST include an `Authorization` header, containing the `hs_token`
from the application service's registration, when making requests to the
application service. Application services MUST verify that the provided
`Bearer` token matches their known `hs_token`, failing the request with
an `M_FORBIDDEN` error if it does not match.

The format of the `Authorization` header is similar to the [Client-Server API](/client-server-api/#client-authentication):
`Bearer TheHSTokenGoesHere`.

{{% boxes/note %}}
In previous versions of this specification, an `access_token` query
parameter was used instead. Servers should only send this query parameter
if supporting legacy versions of the specification.

If sending the `query_string`, it is encouraged to send it alongside
the `Authorization` header for maximum compatibility.

Application services should ensure both match if both are provided.
{{% /boxes/note %}}

#### Legacy routes

Expand Down
9 changes: 5 additions & 4 deletions data/api/application-service/definitions/security.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
# Copyright 2018 New Vector Ltd
# Copyright 2022 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -12,7 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
homeserverAccessToken:
type: apiKey
description: The `hs_token` provided by the application service's registration.
name: access_token
in: query
type: http
scheme: Bearer
# Per docs, this is basically a description. https://swagger.io/docs/specification/authentication/bearer-authentication/
bearerFormat: The `hs_token` provided by the application service's registration.

0 comments on commit 97b5702

Please sign in to comment.