Skip to content
Merged
Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
4521510
Matrix architecture change to delegate authentication via OIDC
hughns Aug 4, 2022
4550bbc
MSC3861
hughns Aug 4, 2022
00cd76d
typoe
ara4n Aug 9, 2022
b684b84
typoes
ara4n Aug 9, 2022
dd60163
typoes
ara4n Aug 9, 2022
9e58990
Add proposal for Matrix.org Foundation to become member of OpenID Fou…
hughns Aug 9, 2022
fb0dfe7
Update proposals/3861-delegated-oidc-architecture.md
hughns Jan 4, 2023
45c0b1c
Move images inline
hughns Feb 8, 2023
ba0c3dc
Use term OpenID Provider
hughns Feb 8, 2023
ef76bfa
Add note about extending UIA as alternative
hughns Feb 9, 2023
4bffdc9
Add reference to related MSCs
hughns Feb 28, 2023
46adfad
Rework the MSC to better explain the rationale for the change
sandhose Sep 11, 2024
ab746d5
Start writing the actual proposal
sandhose Sep 13, 2024
1f1ef22
Remove unused images
sandhose Sep 16, 2024
dc9d84b
Expand on 'why not just OIDC' and fix some typos
sandhose Sep 16, 2024
7c002e4
Add note on the history of the proposal
sandhose Jan 16, 2025
3a18b78
renamed 3861-delegated-oidc-architecture.md -> 3861-next-generation-a…
sandhose Jan 17, 2025
4928ca8
Define token revocation through MSC4254 & add sample flow
sandhose Jan 17, 2025
f67c1fc
Use the new version of MSC2965
sandhose Jan 17, 2025
185e0a5
List a few potential issues
sandhose Jan 17, 2025
90667ed
Mention areweoidcyet.com
sandhose Jan 17, 2025
5ca8111
Apply suggestions from code review
sandhose Jan 22, 2025
dbede1e
§ about how we keep the ecosystem open
sandhose Jan 22, 2025
56a6278
Update the alternatives table to stop mentioning 'OP'
sandhose Jan 22, 2025
152cd98
Reword how we mention MSC dependencies that are already in the spec
sandhose Jan 22, 2025
f5f02c2
Reformat with prettier
sandhose Jan 22, 2025
d76b9a2
Make it clearer what proposals are adjacente, write about ASes
sandhose Jan 22, 2025
9ff541c
Add links about the current C-S API
sandhose Jan 22, 2025
0a86b69
Add links to the spec
sandhose Jan 22, 2025
2acf438
Add links about OIDC and OAuth 2.0
sandhose Jan 22, 2025
246ee1e
Clarify what the 'system browser' means
sandhose Mar 4, 2025
60e1d74
Give an example of a better email verification flow
sandhose Mar 4, 2025
1b17e45
Typo
sandhose Mar 4, 2025
1724490
Reword what the benefits of using the homeserver's domain name are
sandhose Mar 4, 2025
f16ec4e
Apply suggestions from code review
sandhose Mar 5, 2025
b44f110
Talk more about the implications of scoped access tokens.
sandhose Mar 5, 2025
333a091
Linkify /capabilities
sandhose Mar 5, 2025
85c878a
Clarify that the sample flow is non-normative
sandhose Mar 5, 2025
559762d
Explain why we can't 'just use' OpenID Connect better
sandhose Mar 5, 2025
6f74515
Explain how currently HS can restrict client used
sandhose Mar 5, 2025
e797837
Clarify what 'UIA APIs' mean in this proposal
sandhose Mar 5, 2025
f48fb92
Mention that in theory UIA fallbacks also means implementation comple…
sandhose Mar 5, 2025
a5386b5
Clarify that it doesn't have to be the *default* browser
sandhose Mar 17, 2025
9df174c
Clarify that I meant /login
sandhose Mar 18, 2025
8e11401
Reword around dynamic registration
sandhose Mar 18, 2025
a838912
Reword: /login is not UIA!
sandhose Mar 18, 2025
3fcc854
Add link for "web-based fallback"
sandhose Mar 18, 2025
4a8817d
Typo
sandhose Mar 18, 2025
0960a79
Reword the browser redirect explanation
sandhose Mar 18, 2025
1706907
Remove easter egg
sandhose Mar 18, 2025
5bb8c57
Better outline the rationale for this MSC
sandhose Mar 25, 2025
4899c2f
Remove the redundant point about 'protecting the user's creds'
sandhose Mar 25, 2025
a379a33
Simplify the argument for client registration
sandhose Mar 25, 2025
f398886
Clarify what we aim to deprecate
sandhose Mar 25, 2025
0023db9
Typo
sandhose Mar 28, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 132 additions & 0 deletions proposals/3861-delegated-oidc-architecture.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,132 @@
# MSC3861: Matrix architecture change to delegate authentication via OIDC

This MSC proposes a change to the architecture of Matrix with respect to how authentication works.

## Existing architecture

Currently Matrix uses a custom authentication protocol baked in to the Client-Server API.

In a overly simplified form it looks a bit like this:

![](./images/3861-existing-architecture.png)

- Matrix Clients are required (and trusted) to show the UI for login and registration.
- Matrix Homeservers are responsible for authenticating users and issuing access tokens.

We've then added on things like: User-Interactive Auth which provides a standard for specifying an arbitrary sequence of steps including auth, T&C acceptance, CAPTCHA; password management; sessions management; and more.

The are issues with this current approach:

- 👎 Heavyweight for client and homeserver to implement and as a consequence many do not implement all capabilities
- e.g. Dendrite only does password auth
- 👎 Doesn't incorporate best security practices (particularly in case of SSO flow)
- 👎 Requires an MSC for every "new" auth capability such as 2FA and WebAuthn
- 👎 We're training our users to enter their Matrix credentials in random web pages and native apps

## Matrix is not an authentication protocol

Quoting the [spec](https://spec.matrix.org/latest/#introduction-to-the-matrix-apis):

> Matrix is a set of open APIs for open-federated Instant Messaging (IM), Voice over IP (VoIP) and Internet of Things (IoT) communication, designed to create and support a new global real-time communication ecosystem. The intention is to provide an **open decentralised pubsub layer for the internet for securely persisting and publishing/subscribing JSON objects**.

So, fundamentally, Matrix does not set out to be a authentication protocol.

Yes, the ecosystem needs authentication to work, but it is not core to the mission.

## Alternative architecture

The key concept of this proposal is the idea that the Matrix ecosystem would be better served by an architecture where authentication is decoupled from the Homeserver to some kind of authentication server.

That decoupling would be achieved by adopting an existing open authentication protocol rather than writing our own.

It would look something like this:

![](./images/3861-delegated-architecture.png)

Some of the benefits of this are:

- 👍 Simpler for Homeservers and clients to implement
- 👍 Benefits similar to SSO such as:
- logging into multiple clients on the same device without entering the credentials multiple times
- having the credentials bound to the auth server domain instead of the client (for password managers and WebAuthn)
- 👍 Benefit from larger existing community around a standard:
- Existing SDKs
- More battle testing and hardening
- 👍 Moves auth outside of the scope of Matrix spec
- ...allows the community to focus on what Matrix does best

It also allows the work of the Matrix community around auth to benefit other communities and users of the standard.

## Adoption of OIDC as delegated protocol of choice

Specifically it is proposed that the OpenID Connect (OIDC) protocol is chosen to support the Matrix ecosystem.

![](./images/3861-proposed-architecture.png)

There are six proposed action points:

1. Accept the set of MSCs to enable delegation via OIDC.
1. The Matrix.org Foundation join the [OpenID Foundation](https://openid.net/foundation/) as a non-profit member to support their work to build a robust and audited ecosystem for open authentication.
1. Deprecate non-OIDC auth related API endpoints or capabilities in existing Matrix APIs.
1. Provide migration support to the ecosystem.
1. Close all existing MSCs relating to non-OIDC as `obsolete`.
1. Remove the deprecated API endpoints/capabilities from the spec at an appropriate point in future.

Due to the complexity of this proposal it has been broken down into a number of constituent sub-proposals:


| Ref | Purpose |
| - | - |
| [MSC2964](https://github.com/matrix-org/matrix-doc/pull/2964) | Describes how homeservers can delegate auth to an OpenID Provider |
| [MSC2965](https://github.com/matrix-org/matrix-doc/pull/2965) | Describes how participants in the Matrix ecosystem can discover the available capabilities of OIDC-enabled Homeservers and OpenID Providers |
| [MSC2966](https://github.com/matrix-org/matrix-doc/pull/2966) | Describes how OAuth 2.0 Dynamic Client Registration can be used to facilitate interoperability and openness of clients whilst promoting trust |
| [MSC2967](https://github.com/matrix-org/matrix-doc/pull/2967) | Defines the namespace for a set of API scopes that can can expanded in future to allow for finer grained permissioning |
| [MSC3824](https://github.com/matrix-org/matrix-doc/pull/3824) | Proposes some minor changes to the C-S API to allow Matrix clients that are not fully OIDC-native to work best with an OIDC enabled homeserver that has is serving a compatibility layer |

## Potential issues

This proposal requires changes to all Clients, Homeservers, Bridges etc. This will take some time.

Furthermore, during a migration period it will be necessary to support both existing "legacy" auth as well as OIDC.

For existing Homeserver deployments we will need to work out migration paths and provide tools to facilitate the transition.

## Alternatives

The primary alternative is to continue to build out the auth capabilities within the Client-Server API.

For example, UIA (User-Interactive Auth) could be added to the `/login` endpoint and additional capabilities/flows added to UIA.

Examples of existing proposals include:

| Proposals | Comments |
| - | - |
| [MSC1998: Two-Factor Authentication Providers](https://github.com/matrix-org/matrix-spec-proposals/pull/1998)<br>[MSC2271: TOTP 2FA login](https://github.com/matrix-org/matrix-spec-proposals/pull/2271) | OP is free to implement MFA and many do. The [Matrix OIDC Playground](https://github.com/vector-im/oidc-playground) contains a Keycloak configured to demonstrate this |
| [MSC2000: Server-side password policies](https://github.com/matrix-org/matrix-spec-proposals/pull/2000) | Because the UI is served by the OP it is free to implement whatever password policies it sees fit |
| [MSC3105: Previewing UIA flows](https://github.com/matrix-org/matrix-spec-proposals/pull/3105)<br>[MSC3741: Revealing the useful login flows to clients after a soft logout](https://github.com/matrix-org/matrix-spec-proposals/pull/3741) | These become unnecessary as the burden to implement auth flows is moved away from the client to the OP |
| [MSC3262: aPAKE authentication](https://github.com/matrix-org/matrix-spec-proposals/pull/3262)<br>[MSC2957: Cryptographically Concealed Credentials](https://github.com/matrix-org/matrix-spec-proposals/pull/2957) | This is an interesting one as OIDC explicitly discourages a user from trusting their client with credentials. As such there is no existing flow for PAKEs. To achieve this in OIDC you would need to implement a custom grant in the Client and OP (perhaps an extension of the Resource Owner Password Credentials flow).|
| [MSC3782: Matrix public key login spec](https://github.com/matrix-org/matrix-spec-proposals/pull/3782) | Similar to above |
| [MSC3744: Support for flexible authentication](https://github.com/matrix-org/matrix-spec-proposals/pull/3744) | OIDC would instead be used as the pluggable layer for auth in Matrix|

## Security considerations

Please refer to individual proposals.

## Unstable prefix

Please refer to individual proposals.

## Dependencies

The following MSCs are part of this proposal:

- [MSC2964](https://github.com/matrix-org/matrix-doc/pull/2964)
- [MSC2965](https://github.com/matrix-org/matrix-doc/pull/2965)
- [MSC2966](https://github.com/matrix-org/matrix-doc/pull/2966)
- [MSC2967](https://github.com/matrix-org/matrix-doc/pull/2967)
- [MSC3824](https://github.com/matrix-org/matrix-doc/pull/3824)

The following MSCs are not directly part of this proposal but this proposal assumes that these are accepted:

- [MSC3970: Scope transaction IDs to devices](https://github.com/matrix-org/matrix-spec-proposals/pull/3970)
- [MSC3967: Do not require UIA when first uploading cross signing keys](https://github.com/matrix-org/matrix-spec-proposals/pull/3967)
Binary file added proposals/images/3861-delegated-architecture.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added proposals/images/3861-existing-architecture.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added proposals/images/3861-proposed-architecture.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.