id_access_token put in too many places

[anoadragon453]

id_access_token is only required for the following endpoints:

• POST /account/3pid
• POST /createRoom if you are using the invite_3pid param.

None of the /requestToken endpoints need it as the homeserver decides what identity server to use in this case. In the case of binding an email to an identity server through the homeserver, the client should call the /requestToken endpoint directly on the identity server instead.

MSC2290 changes things slightly:

• POST /account/3pid is deprecated
• POST /account/3pid/add new endpoint. Doesn't require id_server or id_access_token.
• POST /account/3pid/bind new endpoint. Does require id_server and id_access_token.

The new endpoint are subject to change as the MSC progresses of course.

I'm not entirely sure about the m.login.email.identity and m.login.msisdn entries though...

[turt2live]

2290 doesn't affect the unstable spec at all yet because it's not been reviewed. We can't spec things that don't exist :/

#2140 requires that the id_access_token appear everywhere an id_server is present, therefore it was specced as such. #2263 does the deprecation of id_server in /requestToken to make it optional, with Synapse going the route of removing it.

If the id_access_token shouldn't be on any of those endpoints, a new MSC will need to be written. MSC2140 was very clear that it's required everywhere there is an id_server, including UIA.