- 
                Notifications
    You must be signed in to change notification settings 
- Fork 413
MSC3861: Next-generation auth for Matrix, based on OAuth 2.0/OIDC #3861
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
          
     Merged
      
        
      
    
  
     Merged
                    Changes from 6 commits
      Commits
    
    
            Show all changes
          
          
            55 commits
          
        
        Select commit
          Hold shift + click to select a range
      
      4521510
              
                Matrix architecture change to delegate authentication via OIDC
              
              
                hughns 4550bbc
              
                MSC3861
              
              
                hughns 00cd76d
              
                typoe
              
              
                ara4n b684b84
              
                typoes
              
              
                ara4n dd60163
              
                typoes
              
              
                ara4n 9e58990
              
                Add proposal for Matrix.org Foundation to become member of OpenID Fou…
              
              
                hughns fb0dfe7
              
                Update proposals/3861-delegated-oidc-architecture.md
              
              
                hughns 45c0b1c
              
                Move images inline
              
              
                hughns ba0c3dc
              
                Use term OpenID Provider
              
              
                hughns ef76bfa
              
                Add note about extending UIA as alternative
              
              
                hughns 4bffdc9
              
                Add reference to related MSCs
              
              
                hughns 46adfad
              
                Rework the MSC to better explain the rationale for the change
              
              
                sandhose ab746d5
              
                Start writing the actual proposal
              
              
                sandhose 1f1ef22
              
                Remove unused images
              
              
                sandhose dc9d84b
              
                Expand on 'why not just OIDC' and fix some typos
              
              
                sandhose 7c002e4
              
                Add note on the history of the proposal
              
              
                sandhose 3a18b78
              
                renamed 3861-delegated-oidc-architecture.md -> 3861-next-generation-a…
              
              
                sandhose 4928ca8
              
                Define token revocation through MSC4254 & add sample flow
              
              
                sandhose f67c1fc
              
                Use the new version of MSC2965
              
              
                sandhose 185e0a5
              
                List a few potential issues
              
              
                sandhose 90667ed
              
                Mention areweoidcyet.com
              
              
                sandhose 5ca8111
              
                Apply suggestions from code review
              
              
                sandhose dbede1e
              
                § about how we keep the ecosystem open
              
              
                sandhose 56a6278
              
                Update the alternatives table to stop mentioning 'OP'
              
              
                sandhose 152cd98
              
                Reword how we mention MSC dependencies that are already in the spec
              
              
                sandhose f5f02c2
              
                Reformat with prettier
              
              
                sandhose d76b9a2
              
                Make it clearer what proposals are adjacente, write about ASes
              
              
                sandhose 9ff541c
              
                Add links about the current C-S API
              
              
                sandhose 0a86b69
              
                Add links to the spec
              
              
                sandhose 2acf438
              
                Add links about OIDC and OAuth 2.0
              
              
                sandhose 246ee1e
              
                Clarify what the 'system browser' means
              
              
                sandhose 60e1d74
              
                Give an example of a better email verification flow
              
              
                sandhose 1b17e45
              
                Typo
              
              
                sandhose 1724490
              
                Reword what the benefits of using the homeserver's domain name are
              
              
                sandhose f16ec4e
              
                Apply suggestions from code review
              
              
                sandhose b44f110
              
                Talk more about the implications of scoped access tokens.
              
              
                sandhose 333a091
              
                Linkify /capabilities
              
              
                sandhose 85c878a
              
                Clarify that the sample flow is non-normative
              
              
                sandhose 559762d
              
                Explain why we can't 'just use' OpenID Connect better
              
              
                sandhose 6f74515
              
                Explain how currently HS can restrict client used
              
              
                sandhose e797837
              
                Clarify what 'UIA APIs' mean in this proposal
              
              
                sandhose f48fb92
              
                Mention that in theory UIA fallbacks also means implementation comple…
              
              
                sandhose a5386b5
              
                Clarify that it doesn't have to be the *default* browser
              
              
                sandhose 9df174c
              
                Clarify that I meant /login
              
              
                sandhose 8e11401
              
                Reword around dynamic registration
              
              
                sandhose a838912
              
                Reword: /login is not UIA!
              
              
                sandhose 3fcc854
              
                Add link for "web-based fallback"
              
              
                sandhose 4a8817d
              
                Typo
              
              
                sandhose 0960a79
              
                Reword the browser redirect explanation
              
              
                sandhose 1706907
              
                Remove easter egg
              
              
                sandhose 5bb8c57
              
                Better outline the rationale for this MSC
              
              
                sandhose 4899c2f
              
                Remove the redundant point about 'protecting the user's creds'
              
              
                sandhose a379a33
              
                Simplify the argument for client registration
              
              
                sandhose f398886
              
                Clarify what we aim to deprecate
              
              
                sandhose 0023db9
              
                Typo
              
              
                sandhose File filter
Filter by extension
Conversations
          Failed to load comments.   
        
        
          
      Loading
        
  Jump to
        
          Jump to file
        
      
      
          Failed to load files.   
        
        
          
      Loading
        
  Diff view
Diff view
There are no files selected for viewing
  
    
      This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
      Learn more about bidirectional Unicode characters
    
  
  
    
              | Original file line number | Diff line number | Diff line change | 
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| # MSC3861: Matrix architecture change to delegate authentication via OIDC | ||
|         
                  turt2live marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
|  | ||
| This MSC proposes a change to the architecture of Matrix with respect to how authentication works. | ||
|  | ||
| ## Existing architecture | ||
|  | ||
| Currently Matrix uses a custom authentication protocol baked in to the Client-Server API. | ||
|  | ||
| In a overly simplified form it looks a bit like this: | ||
|  | ||
|  | ||
|         
                  hughns marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
|  | ||
| - Matrix Clients are required (and trusted) to show the UI for login and registration. | ||
| - Matrix Homeservers are responsible for authenticating users and issuing access tokens. | ||
|  | ||
| We've then added on things like: User-Interactive Auth which provides a standard for specifying an arbitrary sequence of steps including auth, T&C acceptance, CAPTCHA; password management; sessions management; and more. | ||
|  | ||
| The are issues with this current approach: | ||
|  | ||
| - 👎 Heavyweight for client and homeserver to implement and as a consequence many do not implement all capabilities | ||
| - e.g. Dendrite only does password auth | ||
| - 👎 Doesn't incorporate best security practices (particularly in case of SSO flow) | ||
| - 👎 Requires an MSC for every "new" auth capability such as 2FA and WebAuthn | ||
|         
                  sandhose marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
| - 👎 We're training our users to enter their Matrix credentials in random web pages and native apps | ||
|         
                  sandhose marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
|  | ||
| ## Matrix is not an authentication protocol | ||
|  | ||
| Quoting the [spec](https://spec.matrix.org/latest/#introduction-to-the-matrix-apis): | ||
|  | ||
| > Matrix is a set of open APIs for open-federated Instant Messaging (IM), Voice over IP (VoIP) and Internet of Things (IoT) communication, designed to create and support a new global real-time communication ecosystem. The intention is to provide an **open decentralised pubsub layer for the internet for securely persisting and publishing/subscribing JSON objects**. | ||
|  | ||
| So, fundamentally, Matrix does not set out to be a authentication protocol. | ||
|  | ||
| Yes, the ecosystem needs authentication to work, but it is not core to the mission. | ||
|  | ||
| ## Alternative architecture | ||
|  | ||
| The key concept of this proposal is the idea that the Matrix ecosystem would be better served by an architecture where authentication is decoupled from the Homeserver to some kind of authentication server. | ||
|  | ||
| That decoupling would be achieved by adopting an existing open authentication protocol rather than writing our own. | ||
|  | ||
| It would look something like this: | ||
|  | ||
|  | ||
|  | ||
| Some of the benefits of this are: | ||
|  | ||
| - 👍 Simpler for Homeservers and clients to implement | ||
|         
                  sandhose marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
| - 👍 Benefits similar to SSO such as: | ||
| - logging into multiple clients on the same device without entering the credentials multiple times | ||
|         
                  sandhose marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
| - having the credentials bound to the auth server domain instead of the client (for password managers and WebAuthn) | ||
|         
                  sandhose marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
| - 👍 Benefit from larger existing community around a standard: | ||
| - Existing SDKs | ||
| - More battle testing and hardening | ||
| - 👍 Moves auth outside of the scope of Matrix spec | ||
| - ...allows the community to focus on what Matrix does best | ||
|  | ||
| It also allows the work of the Matrix community around auth to benefit other communities and users of the standard. | ||
|  | ||
| ## Adoption of OIDC as delegated protocol of choice | ||
|  | ||
| Specifically it is proposed that the OpenID Connect (OIDC) protocol is chosen to support the Matrix ecosystem. | ||
|  | ||
|  | ||
|  | ||
| There are six proposed action points: | ||
|  | ||
| 1. Accept the set of MSCs to enable delegation via OIDC. | ||
| 1. The Matrix.org Foundation join the [OpenID Foundation](https://openid.net/foundation/) as a non-profit member to support their work to build a robust and audited ecosystem for open authentication. | ||
| 1. Deprecate non-OIDC auth related API endpoints or capabilities in existing Matrix APIs. | ||
| 1. Provide migration support to the ecosystem. | ||
| 1. Close all existing MSCs relating to non-OIDC as `obsolete`. | ||
|         
                  turt2live marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
| 1. Remove the deprecated API endpoints/capabilities from the spec at an appropriate point in future. | ||
|  | ||
| Due to the complexity of this proposal it has been broken down into a number of constituent sub-proposals: | ||
|  | ||
|  | ||
| | Ref | Purpose | | ||
| | - | - | | ||
| | [MSC2964](https://github.com/matrix-org/matrix-doc/pull/2964) | Describes how homeservers can delegate auth to an OIDC Provider | | ||
| | [MSC2965](https://github.com/matrix-org/matrix-doc/pull/2965) | Describes how participants in the Matrix ecosystem can discover the available capabilities of OIDC-enabled Homeservers and OIDC Providers | | ||
| | [MSC2966](https://github.com/matrix-org/matrix-doc/pull/2966) | Describes how OAuth 2.0 Dynamic Client Registration can be used to facilitate interoperability and openness of clients whilst promoting trust | | ||
| | [MSC2967](https://github.com/matrix-org/matrix-doc/pull/2967) | Defines the namespace for a set of API scopes that can can expanded in future to allow for finer grained permissioning | | ||
| | [MSC3824](https://github.com/matrix-org/matrix-doc/pull/3824) | Proposes some minor changes to the C-S API to allow Matrix clients that are not fully OIDC-native to work best with an OIDC enabled homeserver that has is serving a compatibility layer | | ||
|  | ||
| ## Potential issues | ||
|         
                  sandhose marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
|  | ||
| This proposal requires changes to all Clients, Homeservers, Bridges etc. This will take some time. | ||
|  | ||
| Furthermore, during a migration period it will be necessary to support both existing "legacy" auth as well as OIDC. | ||
|  | ||
| For existing Homeserver deployments we will need to work out migration paths and provide tools to facilitate the transition. | ||
|  | ||
| ## Alternatives | ||
|  | ||
| The primary alternative is to continue to build out the auth capabilities within the Client Server API. | ||
|  | ||
| Examples of existing proposals include: | ||
|  | ||
|  | ||
| | Proposals | Comments | | ||
| | - | - | | ||
| | [MSC1998: Two-Factor Authentication Providers](https://github.com/matrix-org/matrix-spec-proposals/pull/1998)<br>[MSC2271: TOTP 2FA login](https://github.com/matrix-org/matrix-spec-proposals/pull/2271) | OP is free to implement MFA and many do. The [Matrix OIDC Playground](https://github.com/vector-im/oidc-playground) contains a Keycloak configured to demonstrate this | | ||
| | [MSC2000: Server-side password policies](https://github.com/matrix-org/matrix-spec-proposals/pull/2000) | Because the UI is served by the OP it is free to implement whatever password policies it sees fit | | ||
| | [MSC3105: Previewing UIA flows](https://github.com/matrix-org/matrix-spec-proposals/pull/3105)<br>[MSC3741: Revealing the useful login flows to clients after a soft logout](https://github.com/matrix-org/matrix-spec-proposals/pull/3741) | These become unnecessary as the burdon to implement auth flows is moved away from the client to the OP | | ||
|         
                  hughns marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
| | [MSC3262: aPAKE authentication](https://github.com/matrix-org/matrix-spec-proposals/pull/3262)<br>[MSC2957: Cryptographically Concealed Credentials](https://github.com/matrix-org/matrix-spec-proposals/pull/2957) | This is an interesting one as OIDC explicitly discourages a user from trusting their client with credentials. As such there is no existing flow for PAKEs. To achieve this in OIDC you would need to implement a custom grant in the Client and OP (perhaps an extension of the Resource Owner Password Credentials flow).| | ||
|         
                  sandhose marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
| | [MSC3782: Matrix public key login spec](https://github.com/matrix-org/matrix-spec-proposals/pull/3782) | Similar to above | | ||
| | [MSC3744: Support for flexible authentication](https://github.com/matrix-org/matrix-spec-proposals/pull/3744) | OIDC would instead be used as the pluggable layer for auth in Matrix| | ||
|  | ||
| ## Security considerations | ||
|  | ||
| Please refer to individual proposals. | ||
|         
                  sandhose marked this conversation as resolved.
              Outdated
          
            Show resolved
            Hide resolved | ||
|  | ||
| ## Unstable prefix | ||
|  | ||
| Please refer to individual proposals. | ||
|  | ||
| ## Dependencies | ||
|  | ||
| The following MSCs are part of this proposal: | ||
|  | ||
| - [MSC2964](https://github.com/matrix-org/matrix-doc/pull/2964) | ||
| - [MSC2965](https://github.com/matrix-org/matrix-doc/pull/2965) | ||
| - [MSC2966](https://github.com/matrix-org/matrix-doc/pull/2966) | ||
| - [MSC2967](https://github.com/matrix-org/matrix-doc/pull/2967) | ||
| - [MSC3824](https://github.com/matrix-org/matrix-doc/pull/3824) | ||
  Add this suggestion to a batch that can be applied as a single commit.
  This suggestion is invalid because no changes were made to the code.
  Suggestions cannot be applied while the pull request is closed.
  Suggestions cannot be applied while viewing a subset of changes.
  Only one suggestion per line can be applied in a batch.
  Add this suggestion to a batch that can be applied as a single commit.
  Applying suggestions on deleted lines is not supported.
  You must change the existing code in this line in order to create a valid suggestion.
  Outdated suggestions cannot be applied.
  This suggestion has been applied or marked resolved.
  Suggestions cannot be applied from pending reviews.
  Suggestions cannot be applied on multi-line comments.
  Suggestions cannot be applied while the pull request is queued to merge.
  Suggestion cannot be applied right now. Please check back later.
  
    
  
    
Uh oh!
There was an error while loading. Please reload this page.