Describe social-sign-on (multiple SSO providers)
Spec for [MSC2858](https://github.com/matrix-org/matrix-doc/pull/2858)
This commit is contained in:
Travis Ralston
Richard van der Hoff
parent
457f3995af
commit
3b426846fe
4 changed files with 207 additions and 2 deletions
|
|
@ -39,6 +39,12 @@ authentication the homeserver should provide a means for the
|
|||
administrator to configure where the CAS server is and the REST
|
||||
endpoints which consume the ticket.
|
||||
|
||||
Homeservers may optionally expose multiple possible SSO options for
|
||||
the user to persue, typically in the form of several "login with $service"
|
||||
buttons. These services, or "identity providers" (IdPs), are typically
|
||||
OpenID Connect, though the exact protocol used is not a concern for this
|
||||
specification.
|
||||
|
||||
#### Client login via SSO
|
||||
|
||||
An overview of the process is as follows:
|
||||
|
|
@ -49,6 +55,8 @@ An overview of the process is as follows:
|
|||
2. To initiate the `m.login.sso` login type, the Matrix client
|
||||
instructs the user's browser to navigate to the
|
||||
[`/login/sso/redirect`](/client-server-api/#get_matrixclientr0loginssoredirect) endpoint on the user's homeserver.
|
||||
Note that this may be the IdP-dependent version of the endpoint if the
|
||||
user has selected one of the `identity_providers` from the flow.
|
||||
3. The homeserver responds with an HTTP redirect to the SSO user
|
||||
interface, which the browser follows.
|
||||
4. The authentication server and the homeserver interact to verify the
|
||||
|
|
@ -97,10 +105,15 @@ endpoint to use: for `m.login.cas`, use `/cas/redirect` and for
|
|||
otherwise the same.
|
||||
{{% /boxes/note %}}
|
||||
|
||||
{{% definition path="api/client-server/definitions/sso_login_flow" %}}
|
||||
|
||||
##### Client behaviour
|
||||
|
||||
The client starts the process by instructing the browser to navigate to
|
||||
[`/login/sso/redirect`](/client-server-api/#get_matrixclientr0loginssoredirect) with an appropriate `redirectUrl`. Once
|
||||
[`/login/sso/redirect`](/client-server-api/#get_matrixclientr0loginssoredirect)
|
||||
(or [`/login/sso/redirect/{idpId}`](/client-server-api/#get_matrixclientr0loginssoredirectidpid)
|
||||
when using one of the `identity_providers`)
|
||||
with an appropriate `redirectUrl`. Once
|
||||
authentication is successful, the browser will be redirected to that
|
||||
`redirectUrl`.
|
||||
|
||||
|
|
@ -141,6 +154,10 @@ authentication is successful, the browser will be redirected to that
|
|||
|
||||
##### Server behaviour
|
||||
|
||||
Servers should note that `identity_providers` are optional, and older clients
|
||||
might not interpret the value correctly. In these cases, the client will use
|
||||
the generic `/redirect` endpoint instead of the `/redirect/{idpId}` endpoint.
|
||||
|
||||
###### Redirecting to the Authentication server
|
||||
|
||||
The server should handle
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue