wholetrans/docs-matrix-spec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Actually we're going with "identity server" afterall

Browse source
This commit is contained in:
Travis Ralston 2018-08-31 15:03:48 -06:00
parent ec248b436f
commit 7ac76fa27c
32 changed files with 152 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

24
api/client-server/administrative_contact.yaml
View file

@ -35,7 +35,7 @@ paths:
associated with the user's account. associated with the user's account.
This is *not* the same as the list of third party identifiers bound to This is *not* the same as the list of third party identifiers bound to
the user's Matrix ID in identity services. the user's Matrix ID in identity servers.
Identifiers in this list may be used by the homeserver as, for example, Identifiers in this list may be used by the homeserver as, for example,
identifiers that it will accept to reset the user's account password. identifiers that it will accept to reset the user's account password.
@ -77,7 +77,7 @@ paths:
format: int64 format: int64
description: |- description: |-
The timestamp, in milliseconds, when the identifier was The timestamp, in milliseconds, when the identifier was
validated by the identity service. validated by the identity server.
added_at: added_at:
type: integer type: integer
format: int64 format: int64
@ -106,13 +106,13 @@ paths:
properties: properties:
client_secret: client_secret:
type: string type: string
description: The client secret used in the session with the identity service. description: The client secret used in the session with the identity server.
id_server: id_server:
type: string type: string
description: The identity service to use. description: The identity server to use.
sid: sid:
type: string type: string
description: The session identifier given by the identity service. description: The session identifier given by the identity server.
required: ["client_secret", "id_server", "sid"] required: ["client_secret", "id_server", "sid"]
bind: bind:
type: boolean type: boolean
@ -138,11 +138,11 @@ paths:
schema: schema:
type: object type: object
403: 403:
description: The credentials could not be verified with the identity service. description: The credentials could not be verified with the identity server.
examples: examples:
application/json: { application/json: {
"errcode": "M_THREEPID_AUTH_FAILED", "errcode": "M_THREEPID_AUTH_FAILED",
"error": "The third party credentials could not be verified by the identity service." "error": "The third party credentials could not be verified by the identity server."
} }
schema: schema:
"$ref": "definitions/errors/error.yaml" "$ref": "definitions/errors/error.yaml"
@ -153,7 +153,7 @@ paths:
summary: Deletes a third party identifier from the user's account summary: Deletes a third party identifier from the user's account
description: |- description: |-
Removes a third party identifier from the user's account. This might not Removes a third party identifier from the user's account. This might not
cause an unbind of the identifier from the identity service. cause an unbind of the identifier from the identity server.
operationId: delete3pidFromAccount operationId: delete3pidFromAccount
security: security:
- accessToken: [] - accessToken: []
@ -187,7 +187,7 @@ paths:
post: post:
summary: Begins the validation process for an email address for association with the user's account. summary: Begins the validation process for an email address for association with the user's account.
description: |- description: |-
Proxies the identity service API ``validate/email/requestToken``, but Proxies the identity server API ``validate/email/requestToken``, but
first checks that the given email address is **not** already associated first checks that the given email address is **not** already associated
with an account on this homeserver. This API should be used to request with an account on this homeserver. This API should be used to request
validation tokens when adding an email address to an account. This API's validation tokens when adding an email address to an account. This API's
@ -206,7 +206,7 @@ paths:
id_server: id_server:
type: string type: string
description: |- description: |-
The hostname of the identity service to communicate with. May The hostname of the identity server to communicate with. May
optionally include a port. optionally include a port.
example: "id.example.com" example: "id.example.com"
required: ['id_server'] required: ['id_server']
@ -241,7 +241,7 @@ paths:
post: post:
summary: Begins the validation process for a phone number for association with the user's account. summary: Begins the validation process for a phone number for association with the user's account.
description: |- description: |-
Proxies the identity service API ``validate/msisdn/requestToken``, but Proxies the identity server API ``validate/msisdn/requestToken``, but
first checks that the given phone number is **not** already associated first checks that the given phone number is **not** already associated
with an account on this homeserver. This API should be used to request with an account on this homeserver. This API should be used to request
validation tokens when adding a phone number to an account. This API's validation tokens when adding a phone number to an account. This API's
@ -260,7 +260,7 @@ paths:
id_server: id_server:
type: string type: string
description: |- description: |-
The hostname of the identity service to communicate with. May The hostname of the identity server to communicate with. May
optionally include a port. optionally include a port.
example: "id.example.com" example: "id.example.com"
required: ['id_server'] required: ['id_server']

4
api/client-server/create_room.yaml
View file

@ -138,10 +138,10 @@ paths:
properties: properties:
id_server: id_server:
type: string type: string
description: The hostname+port of the identity service which should be used for third party identifier lookups. description: The hostname+port of the identity server which should be used for third party identifier lookups.
medium: medium:
type: string type: string
# TODO: Link to identity service spec when it eixsts # TODO: Link to identity server spec when it eixsts
description: The kind of address being passed in the address field, for example ``email``. description: The kind of address being passed in the address field, for example ``email``.
address: address:
type: string type: string

6
api/client-server/definitions/wellknown/identity_server.yaml
View file

@ -11,14 +11,14 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
title: Identity Service Information title: Identity Server Information
description: |- description: |-
Used by clients to discover identity service information. Used by clients to discover identity server information.
type: object type: object
properties: properties:
base_url: base_url:
type: string type: string
description: The base URL for the identity service for client-server connections. description: The base URL for the identity server for client-server connections.
example: https://identity.example.com example: https://identity.example.com
required: required:
- base_url - base_url

26
api/client-server/registration.yaml
View file

@ -92,7 +92,7 @@ paths:
type: boolean type: boolean
description: |- description: |-
If true, the server binds the email used for authentication to If true, the server binds the email used for authentication to
the Matrix ID with the identity service. the Matrix ID with the identity server.
example: false example: false
username: username:
type: string type: string
@ -204,9 +204,9 @@ paths:
post: post:
summary: Begins the validation process for an email to be used during registration. summary: Begins the validation process for an email to be used during registration.
description: |- description: |-
Proxies the identity service API ``validate/email/requestToken``, but Proxies the identity server API ``validate/email/requestToken``, but
first checks that the given email address is not already associated first checks that the given email address is not already associated
with an account on this homeserver. See the identity service API for with an account on this homeserver. See the identity server API for
further information. further information.
operationId: requestTokenToRegisterEmail operationId: requestTokenToRegisterEmail
parameters: parameters:
@ -221,7 +221,7 @@ paths:
id_server: id_server:
type: string type: string
description: |- description: |-
The hostname of the identity service to communicate with. May The hostname of the identity server to communicate with. May
optionally include a port. optionally include a port.
example: "id.example.com" example: "id.example.com"
required: ['id_server'] required: ['id_server']
@ -251,7 +251,7 @@ paths:
instead send an email to the user with instructions on how to reset their password. instead send an email to the user with instructions on how to reset their password.
This prevents malicious parties from being able to determine if a given email address This prevents malicious parties from being able to determine if a given email address
has an account on the homeserver in question. has an account on the homeserver in question.
* ``M_SERVER_NOT_TRUSTED`` : The ``id_server`` parameter refers to an identity service * ``M_SERVER_NOT_TRUSTED`` : The ``id_server`` parameter refers to an identity server
that is not trusted by this homeserver. that is not trusted by this homeserver.
examples: examples:
application/json: { application/json: {
@ -264,9 +264,9 @@ paths:
post: post:
summary: Requests a validation token be sent to the given phone number for the purpose of registering an account summary: Requests a validation token be sent to the given phone number for the purpose of registering an account
description: |- description: |-
Proxies the identity service API ``validate/msisdn/requestToken``, but Proxies the identity server API ``validate/msisdn/requestToken``, but
first checks that the given phone number is not already associated first checks that the given phone number is not already associated
with an account on this homeserver. See the identity service API for with an account on this homeserver. See the identity server API for
further information. further information.
operationId: requestTokenToRegisterMSISDN operationId: requestTokenToRegisterMSISDN
parameters: parameters:
@ -281,7 +281,7 @@ paths:
id_server: id_server:
type: string type: string
description: |- description: |-
The hostname of the identity service to communicate with. May The hostname of the identity server to communicate with. May
optionally include a port. optionally include a port.
example: "id.example.com" example: "id.example.com"
required: ['id_server'] required: ['id_server']
@ -311,7 +311,7 @@ paths:
instead send an SMS message to the user with instructions on how to reset their password. instead send an SMS message to the user with instructions on how to reset their password.
This prevents malicious parties from being able to determine if a given phone number This prevents malicious parties from being able to determine if a given phone number
has an account on the homeserver in question. has an account on the homeserver in question.
* ``M_SERVER_NOT_TRUSTED`` : The ``id_server`` parameter refers to an identity service * ``M_SERVER_NOT_TRUSTED`` : The ``id_server`` parameter refers to an identity server
that is not trusted by this homeserver. that is not trusted by this homeserver.
examples: examples:
application/json: { application/json: {
@ -373,7 +373,7 @@ paths:
post: post:
summary: Requests a validation token be sent to the given email address for the purpose of resetting a user's password summary: Requests a validation token be sent to the given email address for the purpose of resetting a user's password
description: |- description: |-
Proxies the identity service API ``validate/email/requestToken``, but Proxies the identity server API ``validate/email/requestToken``, but
first checks that the given email address **is** associated with an account first checks that the given email address **is** associated with an account
on this homeserver. This API should be used to request on this homeserver. This API should be used to request
validation tokens when authenticating for the validation tokens when authenticating for the
@ -400,7 +400,7 @@ paths:
id_server: id_server:
type: string type: string
description: |- description: |-
The hostname of the identity service to communicate with. May The hostname of the identity server to communicate with. May
optionally include a port. optionally include a port.
example: "id.example.com" example: "id.example.com"
required: ['id_server'] required: ['id_server']
@ -435,7 +435,7 @@ paths:
post: post:
summary: Requests a validation token be sent to the given phone number for the purpose of resetting a user's password. summary: Requests a validation token be sent to the given phone number for the purpose of resetting a user's password.
description: |- description: |-
Proxies the identity service API ``validate/msisdn/requestToken``, but Proxies the identity server API ``validate/msisdn/requestToken``, but
first checks that the given phone number **is** associated with an account first checks that the given phone number **is** associated with an account
on this homeserver. This API should be used to request on this homeserver. This API should be used to request
validation tokens when authenticating for the validation tokens when authenticating for the
@ -462,7 +462,7 @@ paths:
id_server: id_server:
type: string type: string
description: |- description: |-
The hostname of the identity service to communicate with. May The hostname of the identity server to communicate with. May
optionally include a port. optionally include a port.
example: "id.example.com" example: "id.example.com"
required: ['id_server'] required: ['id_server']

18
api/client-server/third_party_membership.yaml
View file

@ -36,7 +36,7 @@ paths:
*Note that there are two forms of this API, which are documented separately. *Note that there are two forms of this API, which are documented separately.
This version of the API does not require that the inviter know the Matrix This version of the API does not require that the inviter know the Matrix
identifier of the invitee, and instead relies on third party identifiers. identifier of the invitee, and instead relies on third party identifiers.
The homeserver uses an identity service to perform the mapping from The homeserver uses an identity server to perform the mapping from
third party identifier to a Matrix identifier. The other is documented in the* third party identifier to a Matrix identifier. The other is documented in the*
`joining rooms section`_. `joining rooms section`_.
@ -47,31 +47,31 @@ paths:
Only users currently in a particular room can invite other users to Only users currently in a particular room can invite other users to
join that room. join that room.
If the identity service did know the Matrix user identifier for the If the identity server did know the Matrix user identifier for the
third party identifier, the homeserver will append a ``m.room.member`` third party identifier, the homeserver will append a ``m.room.member``
event to the room. event to the room.
If the identity service does not know a Matrix user identifier for the If the identity server does not know a Matrix user identifier for the
passed third party identifier, the homeserver will issue an invitation passed third party identifier, the homeserver will issue an invitation
which can be accepted upon providing proof of ownership of the third which can be accepted upon providing proof of ownership of the third
party identifier. This is achieved by the identity service generating a party identifier. This is achieved by the identity server generating a
token, which it gives to the inviting homeserver. The homeserver will token, which it gives to the inviting homeserver. The homeserver will
add an ``m.room.third_party_invite`` event into the graph for the room, add an ``m.room.third_party_invite`` event into the graph for the room,
containing that token. containing that token.
When the invitee binds the invited third party identifier to a Matrix When the invitee binds the invited third party identifier to a Matrix
user ID, the identity service will give the user a list of pending user ID, the identity server will give the user a list of pending
invitations, each containing: invitations, each containing:
- The room ID to which they were invited - The room ID to which they were invited
- The token given to the homeserver - The token given to the homeserver
- A signature of the token, signed with the identity service's private key - A signature of the token, signed with the identity server's private key
- The matrix user ID who invited them to the room - The matrix user ID who invited them to the room
If a token is requested from the identity service, the homeserver will If a token is requested from the identity server, the homeserver will
append a ``m.room.third_party_invite`` event to the room. append a ``m.room.third_party_invite`` event to the room.
.. _joining rooms section: `invite-by-user-id-endpoint`_ .. _joining rooms section: `invite-by-user-id-endpoint`_
@ -98,10 +98,10 @@ paths:
properties: properties:
id_server: id_server:
type: string type: string
description: The hostname+port of the identity service which should be used for third party identifier lookups. description: The hostname+port of the identity server which should be used for third party identifier lookups.
medium: medium:
type: string type: string
# TODO: Link to identity service spec when it eixsts # TODO: Link to identity server spec when it eixsts
description: The kind of address being passed in the address field, for example ``email``. description: The kind of address being passed in the address field, for example ``email``.
address: address:
type: string type: string

2
api/client-server/wellknown.yaml
View file

@ -54,7 +54,7 @@ paths:
description: Information about the homeserver to connect to. description: Information about the homeserver to connect to.
"$ref": "definitions/wellknown/homeserver.yaml" "$ref": "definitions/wellknown/homeserver.yaml"
m.identity_server: m.identity_server:
description: Optional. Information about the identity service to connect to. description: Optional. Information about the identity server to connect to.
"$ref": "definitions/wellknown/identity_server.yaml" "$ref": "definitions/wellknown/identity_server.yaml"
additionalProperties: additionalProperties:
description: Application-dependent keys using Java package naming convention. description: Application-dependent keys using Java package naming convention.

4
api/identity/associations.yaml
View file

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
swagger: '2.0' swagger: '2.0'
info: info:
title: "Matrix Identity Service Establishing Associations API" title: "Matrix Identity Server Establishing Associations API"
version: "1.0.0" version: "1.0.0"
host: localhost:8090 host: localhost:8090
schemes: schemes:
@ -166,7 +166,7 @@ paths:
signatures: signatures:
type: object type: object
description: |- description: |-
The signatures of the verifying identity services which show that the The signatures of the verifying identity servers which show that the
association should be trusted, if you trust the verifying identity association should be trusted, if you trust the verifying identity
services. services.
$ref: "../../schemas/server-signatures.yaml" $ref: "../../schemas/server-signatures.yaml"

2
api/identity/definitions/request_email_validation.yaml
View file

@ -33,7 +33,7 @@ properties:
is a number greater than the most recent one which it has seen, is a number greater than the most recent one which it has seen,
scoped to that ``email`` + ``client_secret`` pair. This is to scoped to that ``email`` + ``client_secret`` pair. This is to
avoid repeatedly sending the same email in the case of request avoid repeatedly sending the same email in the case of request
retries between the POSTing user and the identity service. retries between the POSTing user and the identity server.
The client should increment this value if they desire a new The client should increment this value if they desire a new
email (e.g. a reminder) to be sent. email (e.g. a reminder) to be sent.
example: 1 example: 1

2
api/identity/definitions/request_msisdn_validation.yaml
View file

@ -41,7 +41,7 @@ properties:
scoped to that ``country`` + ``phone_number`` + ``client_secret`` scoped to that ``country`` + ``phone_number`` + ``client_secret``
triple. This is to avoid repeatedly sending the same SMS in triple. This is to avoid repeatedly sending the same SMS in
the case of request retries between the POSTing user and the the case of request retries between the POSTing user and the
identity service. The client should increment this value if identity server. The client should increment this value if
they desire a new SMS (e.g. a reminder) to be sent. they desire a new SMS (e.g. a reminder) to be sent.
example: 1 example: 1
next_link: next_link:

6
api/identity/email_associations.yaml
View file

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
swagger: '2.0' swagger: '2.0'
info: info:
title: "Matrix Identity Service Email Associations API" title: "Matrix Identity Server Email Associations API"
version: "1.0.0" version: "1.0.0"
host: localhost:8090 host: localhost:8090
schemes: schemes:
@ -30,8 +30,8 @@ paths:
description: |- description: |-
Create a session for validating an email address. Create a session for validating an email address.
The identity service will send an email containing a token. If that The identity server will send an email containing a token. If that
token is presented to the identity service in the future, it indicates token is presented to the identity server in the future, it indicates
that that user was able to read the email for that email address, and that that user was able to read the email for that email address, and
so we validate ownership of the email address. so we validate ownership of the email address.

4
api/identity/invitation_signing.yaml
View file

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
swagger: '2.0' swagger: '2.0'
info: info:
title: "Matrix Identity Service Ephemeral Invitation Signing API" title: "Matrix Identity Server Ephemeral Invitation Signing API"
version: "1.0.0" version: "1.0.0"
host: localhost:8090 host: localhost:8090
schemes: schemes:
@ -30,7 +30,7 @@ paths:
description: |- description: |-
Sign invitation details. Sign invitation details.
The identity service will look up ``token`` which was stored in a call The identity server will look up ``token`` which was stored in a call
to ``store-invite``, and fetch the sender of the invite. to ``store-invite``, and fetch the sender of the invite.
operationId: blindlySignStuff operationId: blindlySignStuff
parameters: parameters:

4
api/identity/lookup.yaml
View file

@ -16,7 +16,7 @@
# limitations under the License. # limitations under the License.
swagger: '2.0' swagger: '2.0'
info: info:
title: "Matrix Identity Service Lookup API" title: "Matrix Identity Server Lookup API"
version: "1.0.0" version: "1.0.0"
host: localhost:8090 host: localhost:8090
schemes: schemes:
@ -86,7 +86,7 @@ paths:
description: The unix timestamp at which the association was verified. description: The unix timestamp at which the association was verified.
signatures: signatures:
type: object type: object
description: The signatures of the verifying identity services which show that the association should be trusted, if you trust the verifying identity services. description: The signatures of the verifying identity servers which show that the association should be trusted, if you trust the verifying identity servers.
$ref: "../../schemas/server-signatures.yaml" $ref: "../../schemas/server-signatures.yaml"
required: required:
- address - address

8
api/identity/phone_associations.yaml
View file

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
swagger: '2.0' swagger: '2.0'
info: info:
title: "Matrix Identity Service Phone Number Associations API" title: "Matrix Identity Server Phone Number Associations API"
version: "1.0.0" version: "1.0.0"
host: localhost:8090 host: localhost:8090
schemes: schemes:
@ -30,8 +30,8 @@ paths:
description: |- description: |-
Create a session for validating a phone number. Create a session for validating a phone number.
The identity service will send an SMS message containing a token. If The identity server will send an SMS message containing a token. If
that token is presented to the identity service in the future, it that token is presented to the identity server in the future, it
indicates that that user was able to read the SMS for that phone indicates that that user was able to read the SMS for that phone
number, and so we validate ownership of the phone number. number, and so we validate ownership of the phone number.
@ -62,7 +62,7 @@ paths:
- ``M_INVALID_ADDRESS``: The phone number provided was invalid. - ``M_INVALID_ADDRESS``: The phone number provided was invalid.
- ``M_SEND_ERROR``: The validation SMS could not be sent. - ``M_SEND_ERROR``: The validation SMS could not be sent.
- ``M_DESTINATION_REJECTED``: The identity service cannot deliver an - ``M_DESTINATION_REJECTED``: The identity server cannot deliver an
SMS to the provided country or region. SMS to the provided country or region.
examples: examples:
application/json: { application/json: {

12
api/identity/ping.yaml
View file

@ -15,7 +15,7 @@
swagger: "2.0" swagger: "2.0"
info: info:
title: "Matrix Identity Service Ping API" title: "Matrix Identity Server Ping API"
version: "1.0.0" version: "1.0.0"
host: localhost:8090 host: localhost:8090
schemes: schemes:
@ -26,19 +26,19 @@ produces:
paths: paths:
"/api/v1": "/api/v1":
get: get:
summary: Checks that an identity service is available at this API endpoint. summary: Checks that an identity server is available at this API endpoint.
description: |- description: |-
Checks that an identity service is available at this API endpoint. Checks that an identity server is available at this API endpoint.
To discover that an identity service is available at a specific URL, To discover that an identity server is available at a specific URL,
this endpoint can be queried and will return an empty object. this endpoint can be queried and will return an empty object.
This is primarly used for auto-discovery and health check purposes This is primarly used for auto-discovery and health check purposes
by entities acting as a client for the identity service. by entities acting as a client for the identity server.
operationId: ping operationId: ping
responses: responses:
200: 200:
description: An identity service is ready to serve requests. description: An identity server is ready to serve requests.
examples: examples:
application/json: {} application/json: {}
schema: schema:

2
api/identity/pubkey.yaml
View file

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
swagger: '2.0' swagger: '2.0'
info: info:
title: "Matrix Identity Service Public Key API" title: "Matrix Identity Server Public Key API"
version: "1.0.0" version: "1.0.0"
host: localhost:8090 host: localhost:8090
schemes: schemes:

2
api/identity/store_invite.yaml
View file

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
swagger: '2.0' swagger: '2.0'
info: info:
title: "Matrix Identity Service Store Invitations API" title: "Matrix Identity Server Store Invitations API"
version: "1.0.0" version: "1.0.0"
host: localhost:8090 host: localhost:8090
schemes: schemes:

18
api/server-server/third_party_invite.yaml
View file

@ -200,9 +200,9 @@ paths:
Notifies the server that a third party identifier has been bound to one Notifies the server that a third party identifier has been bound to one
of its users. of its users.
description: |- description: |-
Used by identity services to notify the homeserver that one of its users Used by identity servers to notify the homeserver that one of its users
has bound a third party identifier successfully, including any pending has bound a third party identifier successfully, including any pending
room invites the identity service has been made aware of. room invites the identity server has been made aware of.
operationId: onBindThirdPartyIdentifier operationId: onBindThirdPartyIdentifier
parameters: parameters:
- in: body - in: body
@ -262,9 +262,9 @@ paths:
# also make sure it isn't lying about anything, like the key version # also make sure it isn't lying about anything, like the key version
signed: signed:
type: object type: object
title: Identity Service Signatures title: Identity Server Signatures
description: |- description: |-
Signature from the identity service using a long-term private Signature from the identity server using a long-term private
key. key.
properties: properties:
mxid: mxid:
@ -280,14 +280,14 @@ paths:
example: "Hello World" example: "Hello World"
signatures: signatures:
type: object type: object
title: Identity Service Signature title: Identity Server Signature
description: |- description: |-
The signature from the identity service. The ``string`` key The signature from the identity server. The ``string`` key
is the identity service's domain name, such as vector.im is the identity server's domain name, such as vector.im
additionalProperties: additionalProperties:
type: object type: object
title: Identity Service Domain Signature title: Identity Server Domain Signature
description: The signature for the identity service. description: The signature for the identity server.
properties: properties:
"ed25519:0": "ed25519:0":
type: string type: string

2
changelogs/client_server.rst
View file

@ -76,7 +76,7 @@ r0.3.0
- Spec clarifications: - Spec clarifications:
- Add endpoints and logic for invites and third-party invites to the federation - Add endpoints and logic for invites and third-party invites to the federation
spec and update the JSON of the request sent by the identity service upon 3PID spec and update the JSON of the request sent by the identity server upon 3PID
binding binding
(`#997 <https://github.com/matrix-org/matrix-doc/pull/997>`_) (`#997 <https://github.com/matrix-org/matrix-doc/pull/997>`_)
- Fix "membership" property on third-party invite upgrade example - Fix "membership" property on third-party invite upgrade example

0
changelogs/identity_service.rst → changelogs/identity_server.rst
View file

0
changelogs/identity_service/newsfragments/.gitignore → changelogs/identity_server/newsfragments/.gitignore vendored
View file

2
changelogs/identity_service/pyproject.toml → changelogs/identity_server/pyproject.toml
View file

@ -1,5 +1,5 @@
[tool.towncrier] [tool.towncrier]
filename = "../identity_service.rst" filename = "../identity_server.rst"
directory = "newsfragments" directory = "newsfragments"
issue_format = "`#{issue} <https://github.com/matrix-org/matrix-doc/issues/{issue}>`_" issue_format = "`#{issue} <https://github.com/matrix-org/matrix-doc/issues/{issue}>`_"
title_format = "{version}" title_format = "{version}"

4
meta/documentation_style.rst
View file

@ -69,10 +69,10 @@ have English as their first language.
Prefer British English (colour, -ise) to American English. Prefer British English (colour, -ise) to American English.
The word "homeserver" is spelt thus (rather than "home server", "Homeserver", The word "homeserver" is spelt thus (rather than "home server", "Homeserver",
or (argh) "Home Server"). However, an identity service is two words. or (argh) "Home Server"). However, an identity server is two words.
.. Rationale: "homeserver" distinguishes from a "home server" which is a server .. Rationale: "homeserver" distinguishes from a "home server" which is a server
you have at home. "identity service" is clear, whereas "identityservice" is you have at home. "identity server" is clear, whereas "identityservice" is
horrible. horrible.
Lists should: Lists should:

2
meta/releasing_a_spec.md
View file

@ -1,7 +1,7 @@
# How to release a specification # How to release a specification
There are several specifications that belong to matrix, such as the client-server There are several specifications that belong to matrix, such as the client-server
specification, server-server specification, and identity service specification. Each specification, server-server specification, and identity server specification. Each
of these gets released independently of each other with their own version numbers. of these gets released independently of each other with their own version numbers.
Once a specification is ready for release, a branch should be created to track the Once a specification is ready for release, a branch should be created to track the

2
scripts/gendoc.py
View file

@ -527,7 +527,7 @@ if __name__ == '__main__':
) )
parser.add_argument( parser.add_argument(
"--identity_release", "-i", action="store", default="unstable", "--identity_release", "-i", action="store", default="unstable",
help="The identity service release tag to generate, e.g. r1.2" help="The identity server release tag to generate, e.g. r1.2"
) )
parser.add_argument( parser.add_argument(
"--list_targets", action="store_true", "--list_targets", action="store_true",

4
scripts/templating/matrix_templates/sections.py
View file

@ -37,9 +37,9 @@ class MatrixSections(Sections):
changelogs = self.units.get("changelogs") changelogs = self.units.get("changelogs")
return changelogs["push_gateway"] return changelogs["push_gateway"]
def render_identity_service_changelog(self): def render_identity_server_changelog(self):
changelogs = self.units.get("changelogs") changelogs = self.units.get("changelogs")
return changelogs["identity_service"] return changelogs["identity_server"]
def render_server_server_changelog(self): def render_server_server_changelog(self):
changelogs = self.units.get("changelogs") changelogs = self.units.get("changelogs")

2
scripts/templating/matrix_templates/units.py
View file

@ -773,7 +773,7 @@ class MatrixUnits(Units):
as_ver, as_ver,
"Privileged server plugins", "Privileged server plugins",
), TypeTableRow( ), TypeTableRow(
"`Identity Service API <identity_service/"+is_ver+".html>`_", "`Identity Server API <identity_server/"+is_ver+".html>`_",
"unstable", "unstable",
"Mapping of third party IDs to Matrix IDs", "Mapping of third party IDs to Matrix IDs",
), TypeTableRow( ), TypeTableRow(

14
specification/client_server_api.rst
View file

@ -145,7 +145,7 @@ Some requests have unique error codes:
Sent when a threepid given to an API cannot be used because no record matching the threepid was found. Sent when a threepid given to an API cannot be used because no record matching the threepid was found.
:``M_SERVER_NOT_TRUSTED``: :``M_SERVER_NOT_TRUSTED``:
The client's request used a third party server, eg. identity service, that this server does not trust. The client's request used a third party server, eg. identity server, that this server does not trust.
:``M_UNSUPPORTED_ROOM_VERSION``: :``M_UNSUPPORTED_ROOM_VERSION``:
The client's request to create a room used a room version that the server does not support. The client's request to create a room used a room version that the server does not support.
@ -257,7 +257,7 @@ specify parameter values. The flow for this method is as follows:
points to a valid homeserver. points to a valid homeserver.
f. If the ``m.identity_server`` property is present, extract the f. If the ``m.identity_server`` property is present, extract the
``base_url`` value for use as the base URL of the identity service. ``base_url`` value for use as the base URL of the identity server.
Validation for this URL is done as in the step above, but using Validation for this URL is done as in the step above, but using
``/_matrix/identity/api/v1`` as the endpoint to connect to. If the ``/_matrix/identity/api/v1`` as the endpoint to connect to. If the
``m.identity_server`` property is present, but does not have a ``m.identity_server`` property is present, but does not have a
@ -685,7 +685,7 @@ the auth code. Homeservers can choose any path for the ``redirect URI``. Once
the OAuth flow has completed, the client retries the request with the session the OAuth flow has completed, the client retries the request with the session
only, as above. only, as above.
Email-based (identity service) Email-based (identity server)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<< <<<<<<<<<<<<<<<<<<<<<<<<<<<<<
:Type: :Type:
``m.login.email.identity`` ``m.login.email.identity``
@ -705,9 +705,9 @@ To use this authentication type, clients should submit an auth dict as follows:
"type": "m.login.email.identity", "type": "m.login.email.identity",
"threepidCreds": [ "threepidCreds": [
{ {
"sid": "<identity service session id>", "sid": "<identity server session id>",
"client_secret": "<identity service client secret>", "client_secret": "<identity server client secret>",
"id_server": "<url of identity service authed with, e.g. 'matrix.org:8090'>" "id_server": "<url of identity server authed with, e.g. 'matrix.org:8090'>"
} }
], ],
"session": "<session ID>" "session": "<session ID>"
@ -995,7 +995,7 @@ Adding Account Administrative Contact Information
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A homeserver may keep some contact information for administrative use. A homeserver may keep some contact information for administrative use.
This is independent of any information kept by any identity services. This is independent of any information kept by any identity servers.
{{administrative_contact_cs_http_api}} {{administrative_contact_cs_http_api}}

40
specification/identity_service_api.rst → specification/identity_server_api.rst
View file

@ -15,7 +15,7 @@
.. See the License for the specific language governing permissions and .. See the License for the specific language governing permissions and
.. limitations under the License. .. limitations under the License.
Identity Service API Identity Server API
==================== ====================
{{unstable_warning_block_IDENTITY_RELEASE_LABEL}} {{unstable_warning_block_IDENTITY_RELEASE_LABEL}}
@ -23,7 +23,7 @@ Identity Service API
The Matrix client-server and server-server APIs are largely expressed in Matrix The Matrix client-server and server-server APIs are largely expressed in Matrix
user identifiers. From time to time, it is useful to refer to users by other user identifiers. From time to time, it is useful to refer to users by other
("third-party") identifiers, or "3pid"s, e.g. their email address or phone ("third-party") identifiers, or "3pid"s, e.g. their email address or phone
number. This identity service specification describes how mappings between number. This identity server specification describes how mappings between
third-party identifiers and Matrix user identifiers can be established, third-party identifiers and Matrix user identifiers can be established,
validated, and used. This description technically may apply to any 3pid, but in validated, and used. This description technically may apply to any 3pid, but in
practice has only been applied specifically to email addresses and phone numbers. practice has only been applied specifically to email addresses and phone numbers.
@ -35,14 +35,14 @@ Changelog
--------- ---------
.. topic:: Version: %IDENTITY_RELEASE_LABEL% .. topic:: Version: %IDENTITY_RELEASE_LABEL%
{{identity_service_changelog}} {{identity_server_changelog}}
This version of the specification is generated from This version of the specification is generated from
`matrix-doc <https://github.com/matrix-org/matrix-doc>`_ as of Git commit `matrix-doc <https://github.com/matrix-org/matrix-doc>`_ as of Git commit
`{{git_version}} <https://github.com/matrix-org/matrix-doc/tree/{{git_rev}}>`_. `{{git_version}} <https://github.com/matrix-org/matrix-doc/tree/{{git_rev}}>`_.
For the full historical changelog, see For the full historical changelog, see
https://github.com/matrix-org/matrix-doc/blob/master/changelogs/identity_service.rst https://github.com/matrix-org/matrix-doc/blob/master/changelogs/identity_server.rst
Other versions of this specification Other versions of this specification
@ -50,25 +50,25 @@ Other versions of this specification
The following other versions are also available, in reverse chronological order: The following other versions are also available, in reverse chronological order:
- `HEAD <https://matrix.org/docs/spec/identity_service/unstable.html>`_: Includes all changes since the latest versioned release. - `HEAD <https://matrix.org/docs/spec/identity_server/unstable.html>`_: Includes all changes since the latest versioned release.
General principles General principles
------------------ ------------------
The purpose of an identity service is to validate, store, and answer questions The purpose of an identity server is to validate, store, and answer questions
about the identities of users. In particular, it stores associations of the form about the identities of users. In particular, it stores associations of the form
"identifier X represents the same user as identifier Y", where identities may "identifier X represents the same user as identifier Y", where identities may
exist on different systems (such as email addresses, phone numbers, exist on different systems (such as email addresses, phone numbers,
Matrix user IDs, etc). Matrix user IDs, etc).
The identity service has some private-public keypairs. When asked about an The identity server has some private-public keypairs. When asked about an
association, it will sign details of the association with its private key. association, it will sign details of the association with its private key.
Clients may validate the assertions about associations by verifying the signature Clients may validate the assertions about associations by verifying the signature
with the public key of the identity service. with the public key of the identity server.
In general, identity services are treated as reliable oracles. They do not In general, identity servers are treated as reliable oracles. They do not
necessarily provide evidence that they have validated associations, but claim to necessarily provide evidence that they have validated associations, but claim to
have done so. Establishing the trustworthiness of an individual identity service have done so. Establishing the trustworthiness of an individual identity server
is left as an exercise for the client. is left as an exercise for the client.
3PID types are described in `3PID Types`_ Appendix. 3PID types are described in `3PID Types`_ Appendix.
@ -76,7 +76,7 @@ is left as an exercise for the client.
API standards API standards
------------- -------------
The mandatory baseline for identity service communication in Matrix is exchanging The mandatory baseline for identity server communication in Matrix is exchanging
JSON objects over HTTP APIs. HTTPS is required for communication, and all API calls JSON objects over HTTP APIs. HTTPS is required for communication, and all API calls
use a Content-Type of ``application/json``. In addition, strings MUST be encoded as use a Content-Type of ``application/json``. In addition, strings MUST be encoded as
UTF-8. UTF-8.
@ -145,7 +145,7 @@ Some standard error codes are below:
Privacy Privacy
------- -------
Identity is a privacy-sensitive issue. While the identity service exists to Identity is a privacy-sensitive issue. While the identity server exists to
provide identity information, access should be restricted to avoid leaking provide identity information, access should be restricted to avoid leaking
potentially sensitive data. In particular, being able to construct large-scale potentially sensitive data. In particular, being able to construct large-scale
connections between identities should be avoided. To this end, in general APIs connections between identities should be avoided. To this end, in general APIs
@ -157,7 +157,7 @@ Web browser clients
------------------- -------------------
It is realistic to expect that some clients will be written to be run within a web It is realistic to expect that some clients will be written to be run within a web
browser or similar environment. In these cases, the identity service should respond to browser or similar environment. In these cases, the identity server should respond to
pre-flight requests and supply Cross-Origin Resource Sharing (CORS) headers on all pre-flight requests and supply Cross-Origin Resource Sharing (CORS) headers on all
requests. requests.
@ -177,17 +177,17 @@ Status check
Key management Key management
-------------- --------------
An identity service has some long-term public-private keypairs. These are named An identity server has some long-term public-private keypairs. These are named
in a scheme ``algorithm:identifier``, e.g. ``ed25519:0``. When signing an in a scheme ``algorithm:identifier``, e.g. ``ed25519:0``. When signing an
association, the standard `Signing JSON`_ algorithm applies. association, the standard `Signing JSON`_ algorithm applies.
.. TODO: Actually allow identity services to revoke all keys .. TODO: Actually allow identity servers to revoke all keys
See: https://github.com/matrix-org/matrix-doc/issues/1633 See: https://github.com/matrix-org/matrix-doc/issues/1633
.. In the event of key compromise, the identity service may revoke any of its keys. .. In the event of key compromise, the identity server may revoke any of its keys.
An HTTP API is offered to get public keys, and check whether a particular key is An HTTP API is offered to get public keys, and check whether a particular key is
valid. valid.
The identity service may also keep track of some short-term public-private The identity server may also keep track of some short-term public-private
keypairs, which may have different usage and lifetime characteristics than the keypairs, which may have different usage and lifetime characteristics than the
service's long-term keys. service's long-term keys.
@ -241,14 +241,14 @@ General
Invitation storage Invitation storage
------------------ ------------------
An identity service can store pending invitations to a user's 3pid, which will An identity server can store pending invitations to a user's 3pid, which will
be retrieved and can be either notified on or look up when the 3pid is be retrieved and can be either notified on or look up when the 3pid is
associated with a Matrix user ID. associated with a Matrix user ID.
At a later point, if the owner of that particular 3pid binds it with a Matrix user At a later point, if the owner of that particular 3pid binds it with a Matrix user
ID, the identity service will attempt to make an HTTP POST to the Matrix user's ID, the identity server will attempt to make an HTTP POST to the Matrix user's
homeserver via the `/3pid/onbind`_ endpoint. The request MUST be signed with a homeserver via the `/3pid/onbind`_ endpoint. The request MUST be signed with a
long-term private key for the identity service. long-term private key for the identity server.
{{store_invite_is_http_api}} {{store_invite_is_http_api}}

4
specification/index.rst
View file

@ -107,7 +107,7 @@ The functionality that Matrix provides includes:
- Managing user accounts (registration, login, logout) - Managing user accounts (registration, login, logout)
- Use of 3rd Party IDs (3PIDs) such as email addresses, phone numbers, - Use of 3rd Party IDs (3PIDs) such as email addresses, phone numbers,
Facebook accounts to authenticate, identify and discover users on Matrix. Facebook accounts to authenticate, identify and discover users on Matrix.
- Trusted federation of identity services for: - Trusted federation of identity servers for:
+ Publishing user public keys for PKI + Publishing user public keys for PKI
+ Mapping of 3PIDs to Matrix IDs + Mapping of 3PIDs to Matrix IDs
@ -386,7 +386,7 @@ network accounts and phone numbers to their user ID. Linking 3PIDs creates a
mapping from a 3PID to a user ID. This mapping can then be used by Matrix mapping from a 3PID to a user ID. This mapping can then be used by Matrix
users in order to discover the user IDs of their contacts. users in order to discover the user IDs of their contacts.
In order to ensure that the mapping from 3PID to user ID is genuine, a globally In order to ensure that the mapping from 3PID to user ID is genuine, a globally
federated cluster of trusted "identity services" (IS) are used to verify the 3PID federated cluster of trusted "identity servers" (IS) are used to verify the 3PID
and persist and replicate the mappings. and persist and replicate the mappings.
Usage of an IS is not required in order for a client application to be part of Usage of an IS is not required in order for a client application to be part of

34
specification/modules/third_party_invites.rst
View file

@ -24,14 +24,14 @@ There are two flows here; one if a Matrix user ID is known for the third party
identifier, and one if not. Either way, the client calls ``/invite`` with the identifier, and one if not. Either way, the client calls ``/invite`` with the
details of the third party identifier. details of the third party identifier.
The homeserver asks the identity service whether a Matrix user ID is known for The homeserver asks the identity server whether a Matrix user ID is known for
that identifier: that identifier:
- If it is, an invite is simply issued for that user. - If it is, an invite is simply issued for that user.
- If it is not, the homeserver asks the identity service to record the details of - If it is not, the homeserver asks the identity server to record the details of
the invitation, and to notify the invitee's homeserver of this pending invitation if it gets the invitation, and to notify the invitee's homeserver of this pending invitation if it gets
a binding for this identifier in the future. The identity service returns a token a binding for this identifier in the future. The identity server returns a token
and public key to the inviting homeserver. and public key to the inviting homeserver.
When the invitee's homeserver receives the notification of the binding, it When the invitee's homeserver receives the notification of the binding, it
@ -57,7 +57,7 @@ Server behaviour
---------------- ----------------
Upon receipt of an ``/invite``, the server is expected to look up the third party Upon receipt of an ``/invite``, the server is expected to look up the third party
identifier with the provided identity service. If the lookup yields a result for identifier with the provided identity server. If the lookup yields a result for
a Matrix User ID then the normal invite process can be initiated. This process a Matrix User ID then the normal invite process can be initiated. This process
ends up looking like this: ends up looking like this:
@ -87,7 +87,7 @@ ends up looking like this:
However, if the lookup does not yield a bound User ID, the homeserver must store However, if the lookup does not yield a bound User ID, the homeserver must store
the invite on the identity service and emit a valid ``m.room.third_party_invite`` the invite on the identity server and emit a valid ``m.room.third_party_invite``
event to the room. This process ends up looking like this: event to the room. This process ends up looking like this:
:: ::
@ -125,7 +125,7 @@ All homeservers MUST verify the signature in the event's
``content.third_party_invite.signed`` object. ``content.third_party_invite.signed`` object.
The third party user will then need to verify their identity, which results in The third party user will then need to verify their identity, which results in
a call from the identity service to the homeserver that bound the third party a call from the identity server to the homeserver that bound the third party
identifier to a user. The homeserver then exchanges the ``m.room.third_party_invite`` identifier to a user. The homeserver then exchanges the ``m.room.third_party_invite``
event in the room for a complete ``m.room.member`` event for ``membership: invite`` event in the room for a complete ``m.room.member`` event for ``membership: invite``
for the user that has bound the third party identifier. for the user that has bound the third party identifier.
@ -142,7 +142,7 @@ the room. They may, however, indicate to their clients that a member's
membership is questionable. membership is questionable.
For example, given H1, H2, and H3 as homeservers, UserA as a user of H1, and an For example, given H1, H2, and H3 as homeservers, UserA as a user of H1, and an
identity service IS, the full sequence for a third party invite would look like identity server IS, the full sequence for a third party invite would look like
the following. This diagram assumes H1 and H2 are residents of the room while the following. This diagram assumes H1 and H2 are residents of the room while
H3 is attempting to join. H3 is attempting to join.
@ -213,9 +213,9 @@ in the diagram.
H1 MUST verify the request from H3 to ensure the ``signed`` property is correct H1 MUST verify the request from H3 to ensure the ``signed`` property is correct
as well as the ``key_validity_url`` as still being valid. This is done by making as well as the ``key_validity_url`` as still being valid. This is done by making
a request to the `identity service /isvalid`_ endpoint, using the provided URL a request to the `identity server /isvalid`_ endpoint, using the provided URL
rather than constructing a new one. The query string and response for the provided rather than constructing a new one. The query string and response for the provided
URL must match the identity service specification. URL must match the identity server specification.
The reason that no other homeserver may reject the event based on checking The reason that no other homeserver may reject the event based on checking
``key_validity_url`` is that we must ensure event acceptance is deterministic. ``key_validity_url`` is that we must ensure event acceptance is deterministic.
@ -236,22 +236,22 @@ ID and a third party identifier is hard. In particular, being able to look up
all third party identifiers from a matrix user ID (and accordingly, being able all third party identifiers from a matrix user ID (and accordingly, being able
to link each third party identifier) should be avoided wherever possible. to link each third party identifier) should be avoided wherever possible.
To this end, the third party identifier is not put in any event, rather an To this end, the third party identifier is not put in any event, rather an
opaque display name provided by the identity service is put into the events. opaque display name provided by the identity server is put into the events.
Clients should not remember or display third party identifiers from invites, Clients should not remember or display third party identifiers from invites,
other than for the use of the inviter themself. other than for the use of the inviter themself.
Homeservers are not required to trust any particular identity service(s). It is Homeservers are not required to trust any particular identity server(s). It is
generally a client's responsibility to decide which identity services it trusts, generally a client's responsibility to decide which identity servers it trusts,
not a homeserver's. Accordingly, this API takes identity services as input from not a homeserver's. Accordingly, this API takes identity servers as input from
end users, and doesn't have any specific trusted set. It is possible some end users, and doesn't have any specific trusted set. It is possible some
homeservers may want to supply defaults, or reject some identity services for homeservers may want to supply defaults, or reject some identity servers for
*its* users, but no homeserver is allowed to dictate which identity services *its* users, but no homeserver is allowed to dictate which identity servers
*other* homeservers' users trust. *other* homeservers' users trust.
There is some risk of denial of service attacks by flooding homeservers or There is some risk of denial of service attacks by flooding homeservers or
identity services with many requests, or much state to store. Defending against identity servers with many requests, or much state to store. Defending against
these is left to the implementer's discretion. these is left to the implementer's discretion.
.. _`identity service /isvalid`: ../identity_service/unstable.html#get-matrix-identity-api-v1-pubkey-isvalid .. _`identity server /isvalid`: ../identity_server/unstable.html#get-matrix-identity-api-v1-pubkey-isvalid

28
specification/server_server_api.rst
View file

@ -844,35 +844,35 @@ When an user wants to invite another user in a room but doesn't know the Matrix
ID to invite, they can do so using a third-party identifier (e.g. an e-mail or a ID to invite, they can do so using a third-party identifier (e.g. an e-mail or a
phone number). phone number).
This identifier and its bindings to Matrix IDs are verified by an identity service This identifier and its bindings to Matrix IDs are verified by an identity server
implementing the `identity service API`_. implementing the `identity server API`_.
Cases where an association exists for a third-party identifier Cases where an association exists for a third-party identifier
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the third-party identifier is already bound to a Matrix ID, a lookup request If the third-party identifier is already bound to a Matrix ID, a lookup request
on the identity service will return it. The invite is then processed by the inviting on the identity server will return it. The invite is then processed by the inviting
homeserver as a standard ``m.room.member`` invite event. This is the simplest case. homeserver as a standard ``m.room.member`` invite event. This is the simplest case.
Cases where an association doesn't exist for a third-party identifier Cases where an association doesn't exist for a third-party identifier
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the third-party identifier isn't bound to any Matrix ID, the inviting If the third-party identifier isn't bound to any Matrix ID, the inviting
homeserver will request the identity service to store an invite for this identifier homeserver will request the identity server to store an invite for this identifier
and to deliver it to whoever binds it to its Matrix ID. It will also send a and to deliver it to whoever binds it to its Matrix ID. It will also send a
``m.room.third_party_invite`` event in the room to specify a display name, a token ``m.room.third_party_invite`` event in the room to specify a display name, a token
and public keys the identity service provided as a response to the invite storage and public keys the identity server provided as a response to the invite storage
request. request.
When a third-party identifier with pending invites gets bound to a Matrix ID, When a third-party identifier with pending invites gets bound to a Matrix ID,
the identity service will send a POST request to the ID's homeserver as described the identity server will send a POST request to the ID's homeserver as described
in the `Invitation Storage`_ section of the identity service API. in the `Invitation Storage`_ section of the identity server API.
The following process applies for each invite sent by the identity service: The following process applies for each invite sent by the identity server:
The invited homeserver will create a ``m.room.member`` invite event containing The invited homeserver will create a ``m.room.member`` invite event containing
a special ``third_party_invite`` section containing the token and a signed object, a special ``third_party_invite`` section containing the token and a signed object,
both provided by the identity service. both provided by the identity server.
If the invited homeserver is in the room the invite came from, it can auth the If the invited homeserver is in the room the invite came from, it can auth the
event and send it. event and send it.
@ -894,14 +894,14 @@ server.
To do so, it will fetch from the room's state events the ``m.room.third_party_invite`` To do so, it will fetch from the room's state events the ``m.room.third_party_invite``
event for which the state key matches with the value for the ``token`` key in the event for which the state key matches with the value for the ``token`` key in the
``third_party_invite`` object from the ``m.room.member`` event's content to fetch the ``third_party_invite`` object from the ``m.room.member`` event's content to fetch the
public keys initially delivered by the identity service that stored the invite. public keys initially delivered by the identity server that stored the invite.
It will then use these keys to verify that the ``signed`` object (in the It will then use these keys to verify that the ``signed`` object (in the
``third_party_invite`` object from the ``m.room.member`` event's content) was ``third_party_invite`` object from the ``m.room.member`` event's content) was
signed by the same identity service. signed by the same identity server.
Since this ``signed`` object can only be delivered once in the POST request Since this ``signed`` object can only be delivered once in the POST request
emitted by the identity service upon binding between the third-party identifier emitted by the identity server upon binding between the third-party identifier
and the Matrix ID, and contains the invited user's Matrix ID and the token and the Matrix ID, and contains the invited user's Matrix ID and the token
delivered when the invite was stored, this verification will prove that the delivered when the invite was stored, this verification will prove that the
``m.room.member`` invite event comes from the user owning the invited third-party ``m.room.member`` invite event comes from the user owning the invited third-party
@ -1192,8 +1192,8 @@ Example code
.. |/query/directory| replace:: ``/query/directory`` .. |/query/directory| replace:: ``/query/directory``
.. _/query/directory: #get-matrix-federation-v1-query-directory .. _/query/directory: #get-matrix-federation-v1-query-directory
.. _`Invitation storage`: ../identity_service/%IDENTITY_RELEASE_LABEL%.html#invitation-storage .. _`Invitation storage`: ../identity_server/%IDENTITY_RELEASE_LABEL%.html#invitation-storage
.. _`identity service API`: ../identity_service/%IDENTITY_RELEASE_LABEL%.html .. _`identity server API`: ../identity_server/%IDENTITY_RELEASE_LABEL%.html
.. _`Client-Server API`: ../client_server/%CLIENT_RELEASE_LABEL%.html .. _`Client-Server API`: ../client_server/%CLIENT_RELEASE_LABEL%.html
.. _`Inviting to a room`: #inviting-to-a-room .. _`Inviting to a room`: #inviting-to-a-room
.. _`Canonical JSON`: ../appendices.html#canonical-json .. _`Canonical JSON`: ../appendices.html#canonical-json

6
specification/targets.yaml
View file

@ -18,10 +18,10 @@ targets:
files: files:
- server_server_api.rst - server_server_api.rst
version_label: "%SERVER_RELEASE_LABEL%" version_label: "%SERVER_RELEASE_LABEL%"
identity_service: identity_server:
files: files:
- identity_service_api.rst - identity_server_api.rst
version_label: unstable version_label: "%IDENTITY_RELEASE_LABEL%"
push_gateway: push_gateway:
files: files:
- push_gateway.rst - push_gateway.rst