From 78f8d1322f220018d51281885ca237a724831366 Mon Sep 17 00:00:00 2001
From: Patrick Cloke <patrickc@matrix.org>
Date: Fri, 8 May 2020 11:27:11 -0400
Subject: [PATCH] Add MSC2454 to the specification.

---
 .../client_server/newsfragments/2532.feature  |  1 +
 specification/client_server_api.rst           | 33 +++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 changelogs/client_server/newsfragments/2532.feature

diff --git a/changelogs/client_server/newsfragments/2532.feature b/changelogs/client_server/newsfragments/2532.feature
new file mode 100644
index 00000000..cf74a289
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2532.feature
@@ -0,0 +1 @@
+Add User-Interactive Authentication for SSO-backed homeserver per `MSC2454 <https://github.com/matrix-org/matrix-doc/pull/2454>`_.
diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index eb32d3b4..581f0c28 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -643,6 +643,7 @@ This specification defines the following auth types:
  - ``m.login.password``
  - ``m.login.recaptcha``
  - ``m.login.oauth2``
+ - ``m.login.sso``
  - ``m.login.email.identity``
  - ``m.login.msisdn``
  - ``m.login.token``
@@ -782,6 +783,38 @@ the auth code. Homeservers can choose any path for the ``redirect URI``. Once
 the OAuth flow has completed, the client retries the request with the session
 only, as above.
 
+Single Sign-On
+<<<<<<<<<<<<<<
+:Type:
+  ``m.login.sso``
+:Description:
+  Authentication is supported by authorising with an external single sign-on
+  provider.
+
+A client wanting to complete authentication using SSO should use the
+`Fallback`_ authentication flow by opening a browser window for
+``/_matrix/client/r0/auth/m.login.sso/fallback/web?session=<...>`` with the
+session parameter set to the session ID provied by the server.
+
+The homeserver should return a page which asks for the user's confirmation
+before proceeding. For example, the page could say words to the effect of:
+
+  A client is trying to remove a device/add an email address/take over your
+  account. To confirm this action, re-authenticate with single sign-on. If you
+  did not expect this, your account may be compromised!
+
+Once the user has confirmed they should be redirected to the single sign-on
+provider's login page. Once the provider has validated the user, the browser is
+redirected back to the homeserver.
+
+The homeserver then validates the response from the single sign-on provider and
+updates the user-interactive authentication session to mark the single sign-on
+stage has been completed. The browser is shown the fallback authentication
+completion page.
+
+Once the flow has completed, the client retries the request with the session
+only, as above.
+
 Email-based (identity / homeserver)
 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 :Type: