wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Deprecate authentication via a query string (#1808)

Browse source 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
This commit is contained in:
Kévin Commaille 2024-04-30 18:07:59 +02:00 committed by GitHub
parent ae70b5fcf3
commit 625999a039
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 31 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

1
changelogs/client_server/newsfragments/1808.clarification Normal file
View file

@ -0,0 +1 @@
Deprecate authentication via a query string, as per [MSC4126](https://github.com/matrix-org/matrix-spec-proposals/issues/4126).

1
changelogs/identity_service/newsfragments/1808.clarification Normal file
View file

@ -0,0 +1 @@
Deprecate authentication via a query string, as per [MSC4126](https://github.com/matrix-org/matrix-spec-proposals/issues/4126).

22
content/client-server-api/_index.md
View file

@ -390,8 +390,7 @@ specify parameter values. The flow for this method is as follows:
## Client Authentication ## Client Authentication
Most API endpoints require the user to identify themselves by presenting Most API endpoints require the user to identify themselves by presenting
previously obtained credentials in the form of an `access_token` query previously obtained credentials in the form of an access token.
parameter or through an Authorization Header of `Bearer $access_token`.
An access token is typically obtained via the [Login](#login) or An access token is typically obtained via the [Login](#login) or
[Registration](#account-registration-and-management) processes. Access tokens [Registration](#account-registration-and-management) processes. Access tokens
can expire; a new access token can be generated by using a refresh token. can expire; a new access token can be generated by using a refresh token.
@ -405,16 +404,19 @@ investigate [macaroons](http://research.google.com/pubs/pub41892.html).
### Using access tokens ### Using access tokens
Access tokens may be provided in two ways, both of which the homeserver Access tokens may be provided via a request header, using the Authentication
MUST support: Bearer scheme: `Authorization: Bearer TheTokenHere`.
1. Via a query string parameter, `access_token=TheTokenHere`. Clients may alternatively provide the access token via a query string parameter:
2. Via a request header, `Authorization: Bearer TheTokenHere`. `access_token=TheTokenHere`. This method is deprecated to prevent the access
token being leaked in access/HTTP logs and SHOULD NOT be used by clients.
Clients are encouraged to use the `Authorization` header where possible Homeservers MUST support both methods.
to prevent the access token being leaked in access/HTTP logs. The query
string should only be used in cases where the `Authorization` header is {{% boxes/note %}}
inaccessible for the client. {{% changed-in v="1.11" %}}
Sending the access token as a query string parameter is now deprecated.
{{% /boxes/note %}}
When credentials are required but missing or invalid, the HTTP call will When credentials are required but missing or invalid, the HTTP call will
return with a status of 401 and the error code, `M_MISSING_TOKEN` or return with a status of 401 and the error code, `M_MISSING_TOKEN` or

19
content/identity-service-api.md
View file

@ -162,15 +162,20 @@ of access tokens to authenticate users. The access tokens provided by an
Identity Server cannot be used to authenticate Client-Server API Identity Server cannot be used to authenticate Client-Server API
requests. requests.
An access token is provided to an endpoint in one of two ways: Access tokens may be provided via a request header, using the
Authentication Bearer scheme: `Authorization: Bearer TheTokenHere`.
1. Via a query string parameter, `access_token=TheTokenHere`. Clients may alternatively provide the access token via a query string
2. Via a request header, `Authorization: Bearer TheTokenHere`. parameter: `access_token=TheTokenHere`. This method is deprecated to
prevent the access token being leaked in access/HTTP logs and SHOULD NOT
be used by clients.
Clients are encouraged to the use the `Authorization` header where Identity Servers MUST support both methods.
possible to prevent the access token being leaked in access/HTTP logs.
The query string should only be used in cases where the `Authorization` {{% boxes/note %}}
header is inaccessible for the client. {{% changed-in v="1.11" %}}
Sending the access token as a query string parameter is now deprecated.
{{% /boxes/note %}}
When credentials are required but missing or invalid, the HTTP call will When credentials are required but missing or invalid, the HTTP call will
return with a status of 401 and the error code `M_UNAUTHORIZED`. return with a status of 401 and the error code `M_UNAUTHORIZED`.

5
data/api/client-server/definitions/security.yaml
View file

@ -14,7 +14,7 @@
accessTokenQuery: accessTokenQuery:
type: apiKey type: apiKey
description: |- description: |-
The `access_token` returned by a call to `/login` or `/register`, as a query **Deprecated.** The `access_token` returned by a call to `/login` or `/register`, as a query
parameter. parameter.
It can also be the `as_token` of an application service. It can also be the `as_token` of an application service.
@ -33,7 +33,8 @@ accessTokenBearer:
appserviceAccessTokenQuery: appserviceAccessTokenQuery:
type: apiKey type: apiKey
description: |- description: |-
The `as_token` of an application service, as a query parameter. **Deprecated.** The `as_token` of an application service, as a query
parameter.
name: access_token name: access_token
in: query in: query
appserviceAccessTokenBearer: appserviceAccessTokenBearer:

3
data/api/identity/definitions/security.yaml
View file

@ -14,7 +14,8 @@
accessTokenQuery: accessTokenQuery:
type: apiKey type: apiKey
description: |- description: |-
The `access_token` returned by a call to `/register`, as a query parameter. **Deprecated.** The `access_token` returned by a call to `/register`, as a
query parameter.
name: access_token name: access_token
in: query in: query
accessTokenBearer: accessTokenBearer: