From ee6513d608cf8004f67a9fbae1b69d02477719dd Mon Sep 17 00:00:00 2001 From: Erik Johnston Date: Thu, 7 Mar 2019 16:52:58 +0000 Subject: [PATCH] Add alternative sid/client_secret authentication --- proposals/1915-unbind-identity-server-param.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/proposals/1915-unbind-identity-server-param.md b/proposals/1915-unbind-identity-server-param.md index f018d261..1dc2d833 100644 --- a/proposals/1915-unbind-identity-server-param.md +++ b/proposals/1915-unbind-identity-server-param.md @@ -57,8 +57,11 @@ should assume that the identity server doesn't support the `/unbind` API, unless it returns a specific matrix error response (i.e. the body is a JSON object with `error` and `errcode` fields). -The identity server should accept any request to unbind a 3PID for a `user_id` from -the homeserver controlling that user ID. +The identity server should authenticate the request in one of two ways: + +1. The request is signed by the homeserver which controls the `user_id`. +2. The request includes the `sid` and `client_server` params (as per `/bind`), + which proves ownership of the given 3PID. Example: