Skip to content

Conversation

sandhose
Copy link
Member

@sandhose sandhose commented Feb 19, 2025

The context for this is that the Matrix spec allows basically anything in the device ID. With MSC3861, we're restricting this to strings that can be represented as scopes.
Whilst this works well for next-gen auth sessions, compatibility/legacy sessions still can have characters that can't be encoded (mainly spaces) in them.

To work around that, we added in MAS a behaviour where the device_id is given as an explicit property of the token introspection response, and remove it from the scope.
Because we don't expect users to rollout new Synapse and MAS versions in sync, we needed a way to 'advertise' support for this behaviour: the easiest way to do that was through an extra header in the introspection response.

On the longer term, I expect MAS and Synapse to move away from the introspection endpoint, and instead define a specific API for Synapse -> MAS communication.

PR on the MAS side: element-hq/matrix-authentication-service#4067

@sandhose sandhose marked this pull request as ready for review February 21, 2025 08:29
@sandhose sandhose requested a review from a team as a code owner February 21, 2025 08:29
@reivilibre reivilibre merged commit 08c56c3 into develop Mar 4, 2025
39 checks passed
@reivilibre reivilibre deleted the quenting/mas/explicit-device-id branch March 4, 2025 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants