Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC3231: Token authenticated registration #3231

Merged
merged 15 commits into from
Sep 27, 2021
Merged

MSC3231: Token authenticated registration #3231

merged 15 commits into from
Sep 27, 2021

Conversation

govynnus
Copy link
Contributor

@govynnus govynnus commented Jun 4, 2021
edited
Loading

Rendered

Signed-off-by: Callum Brown callum@calcuode.com

A couple questions:

  • All the other UIAA auth types start m.login, so should I stick with that even though it's registration rather than login? [yes]
  • Is the unstable prefix bit right? [yes]

@govynnus
Proposal for token authenticated registration
79c74c2 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus govynnus marked this pull request as draft June 4, 2021 11:08
@uhoreg uhoreg added client-server Client-Server API kind:feature MSC for not-core and not-maintenance stuff proposal A matrix spec change proposal labels Jun 4, 2021
@govynnus
Hard-wrap lines
0a93e43 
Signed-off-by: Callum Brown <callum@calcuode.com>
@cvwright

This comment has been minimized.

Sign in to view
@anoadragon453
Copy link
Member

@cvwright Could I ask that you convert your question into an inline discussion on the PR? It allows for threading an easier management of discussions as the proposal evolves. Otherwise, great question!

anoadragon453
anoadragon453 reviewed Jun 4, 2021
View reviewed changes
Copy link
Member

@anoadragon453 anoadragon453 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is excellent for a first draft! Short and sweet, though no doubt additional conclusions will be added as discussions progress.

I'm happy that token management is left as an implementation detail. One could argue that various features could be piled on top, such as communicating the amount of uses left on a particular token back to the client. But realistically that would only add unnecessary complication (plus not being easy to do with /register).

As for your initial questions:

All the other UIAA auth types start m.login, so should I stick with that even though it's registration rather than login?

My personal preference is to stick with m.login (which is indeed odd as /login does not use UIAA, but alas...) for consistency, as well as not to confuse people with thinking that the various m.login.* types cannot be used for registration. It may be a nice idea to rename them all in a future, sweeping change though.

Is the unstable prefix bit right?

Yep. org.matrix.msc3231* is fair game, and it looks like a prefix is indeed only required for the registration type. I had one small comment about the wording, but otherwise it looks correct.

proposals/3231-token-authenticated-registration.md Outdated Show resolved Hide resolved
proposals/3231-token-authenticated-registration.md Outdated Show resolved Hide resolved
proposals/3231-token-authenticated-registration.md Show resolved Hide resolved
proposals/3231-token-authenticated-registration.md Show resolved Hide resolved
govynnus added 3 commits June 4, 2021 17:35
@govynnus
Link to released version of spec
5b93cfd 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Fix unstable prefix wording
1606dc4 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Tokens should only be invalidated after registration
5ba0996 
Signed-off-by: Callum Brown <callum@calcuode.com>
@cvwright
Copy link

cvwright commented Jun 4, 2021

I'm happy that token management is left as an implementation detail. One could argue that various features could be piled on top, such as communicating the amount of uses left on a particular token back to the client. But realistically that would only add unnecessary complication (plus not being easy to do with /register).

It would be great to have another MSC on the topic of token management. Agreed that this does not feel like the right place for it.

Currently Midnight has no HTTP interface for managing or creating tokens. If there were a standard way to do it, I'd be happy to take a stab at implementing that spec.

@govynnus
Copy link
Contributor Author

govynnus commented Jun 4, 2021
edited
Loading

@anoadragon453 I agree now that it should stick to m.login. Would m.login.registration-token be OK?

Or you could have m.login.registration_token or m.login.registration.token.

I can't see anywhere in the spec if it says dashes or underscores are preferred.

Edit: I've gone with m.login.registration_token.

@govynnus
Copy link
Contributor Author

govynnus commented Jun 4, 2021

It would be great to have another MSC on the topic of token management. Agreed that this does not feel like the right place for it.

Currently Midnight has no HTTP interface for managing or creating tokens. If there were a standard way to do it, I'd be happy to take a stab at implementing that spec.

As @deepbluev7 mentioned in a Matrix room:

I agree that it would be nice to have a standardized API to generate such tokens, but there are not really any admin endpoints in the spec yet... ._.

That would also entail specifying how tokens can be invalidated (time based, number of uses etc.)

@govynnus
Copy link
Contributor Author

govynnus commented Jun 4, 2021
edited
Loading

Also, I've been having a go at a proof-of-concept in Synapse, and found that (similar to captchas) there should be a dummy stage after the token stage if that flow would otherwise only contain the token stage.

That avoids the server seeing a complete flow and doing the registration if clients are actually trying to complete a different flow which might have 3PIDs after the token stage.

(I'm unsure if that's intelligible...)

Should that be mentioned in the MSC?

Edit: I don't think it should be. The spec talks about it for m.login.dummy.

@govynnus govynnus marked this pull request as ready for review June 4, 2021 17:28
@deepbluev7
Copy link
Contributor

deepbluev7 commented Jun 5, 2021
edited
Loading

Could we please stick to threads on this MSC for any comments people have, so that it will be easier to see, what is resolved and what is still being discussed? Github sadly gets messy quickly otherwise D:

Just use a random line, if you can't figure out where to put it.

@govynnus
Change auth type to m.login.registration_token
aa8e896 
This is consistent with the other UIAA auth types, and does not suggest
that other `m.login.*` types cannot be used for registration.

Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus govynnus force-pushed the token-registration branch from 46dcf00 to aa8e896 Compare June 7, 2021 15:55
@govynnus
Add proposal for checking the validity of a token
84b9976 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus govynnus mentioned this pull request Jun 8, 2021
Merged
5 tasks
@turt2live turt2live added proposal-in-review needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. labels Jun 8, 2021
govynnus added 3 commits June 10, 2021 21:31
@govynnus
Fix validity checking endpoint
7e73525 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Limit allowed characters and length of token
22f1f93 
This allows tokens to be used easily in query parameters

Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus
Give reason for limiting token length and chars
32a9c01 
Signed-off-by: Callum Brown <callum@calcuode.com>
@govynnus govynnus mentioned this pull request Nov 9, 2021
Merged
@turt2live turt2live mentioned this pull request Jan 1, 2022
Merged
@turt2live
Copy link
Member

Spec PR: #3616

@turt2live turt2live self-assigned this Jan 1, 2022
@turt2live turt2live added spec-pr-in-review A proposal which has been PR'd against the spec and is in review and removed spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec labels Jan 1, 2022
@turt2live
Copy link
Member

Merged 🎉

@turt2live turt2live added merged A proposal whose PR has merged into the spec! and removed spec-pr-in-review A proposal which has been PR'd against the spec and is in review labels Jan 5, 2022
@ShadowJonathan ShadowJonathan mentioned this pull request Jan 31, 2022
Closed
@Half-Shot Half-Shot mentioned this pull request Feb 9, 2022
Closed
@MidhunSureshR MidhunSureshR mentioned this pull request Feb 16, 2022
Merged
@kfiven kfiven mentioned this pull request Jul 9, 2022
Closed
@S7evinK S7evinK mentioned this pull request Sep 29, 2023
Open
16 tasks
@matrixbot matrixbot mentioned this pull request Nov 1, 2024
Open
16 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timokoesters timokoesters timokoesters left review comments

@ShadowJonathan ShadowJonathan ShadowJonathan left review comments

@deepbluev7 deepbluev7 deepbluev7 left review comments

@cvwright cvwright cvwright left review comments

@Half-Shot Half-Shot Half-Shot left review comments

@richvdh richvdh richvdh approved these changes

@anoadragon453 anoadragon453 anoadragon453 left review comments

@uhoreg uhoreg uhoreg left review comments

@dbkr dbkr dbkr left review comments

@kevincox kevincox kevincox left review comments

@erikjohnston erikjohnston erikjohnston approved these changes

@turt2live turt2live turt2live approved these changes

Assignees

@turt2live turt2live

Labels
client-server Client-Server API kind:feature MSC for not-core and not-maintenance stuff merged A proposal whose PR has merged into the spec! proposal A matrix spec change proposal
Projects
Spec Core Team Backlog
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.