Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MSC2964: Usage of OAuth 2.0 authorization code grant and refresh token grant #2964

Open
wants to merge 31 commits into
base: main
Choose a base branch
from
Open

MSC2964: Usage of OAuth 2.0 authorization code grant and refresh token grant #2964

Changes from 3 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
2af8b49
OAuth 2.0 profile MSC
sandhose Jan 14, 2021
5962618
Refer to OP rather than AS to avoid clash with Application Service
hughns May 25, 2022
38c97a5
Title update and intro about architectural change
hughns May 25, 2022
e12ee77
Add section on endpoints that would now be outside of scope and so re…
hughns Feb 8, 2023
20d865d
Spelling
hughns Feb 8, 2023
261e3b0
Section on proposed endpoints that would no longer be relevant
hughns Feb 8, 2023
38bb557
Consistency with MSC3861 and cleanup
hughns Feb 8, 2023
45d510b
Standardise terminology on OpenID Provider = OP
hughns Feb 8, 2023
d114f82
Update proposals/2964-oauth2-profile.md
hughns Feb 8, 2023
8fc3ea1
Notes on QR and browserless
hughns Feb 8, 2023
029e1e5
OpenID id_token endpoint is still needed
hughns Feb 8, 2023
0802d8f
Notes about confusion with existing OIDC and OpenID capabilities
hughns Feb 9, 2023
20ee4a3
Additional endpoints to be removed
hughns Feb 13, 2023
6e387d8
Add 3pid endpoints that would be removed
hughns Feb 15, 2023
4a2ed74
Changes to GET /account/3pid
hughns Feb 15, 2023
40048da
Alternative proposal for 3PID handling
hughns Feb 15, 2023
f0e319a
Add section on removing UIA
hughns Feb 16, 2023
55215c1
Refer to UIA as API
hughns Feb 17, 2023
21fee1c
We now have proposal for 3PID and guest access
hughns Feb 20, 2023
2c0625d
Logout semantics
hughns Feb 23, 2023
24e0290
Remove TBDs that are done
hughns Feb 23, 2023
d145fd2
Merge branch 'msc/sandhose/oauth2-profile' of https://github.com/sand…
hughns Feb 23, 2023
acfa845
More done items
hughns Feb 23, 2023
fa506ff
Remove dependency loop
hughns Apr 6, 2023
378348e
Merge branch 'matrix-org:main' into msc/sandhose/oauth2-profile
sandhose Sep 3, 2024
c859c0b
Rework proposal to only cover the authorization code flow
sandhose Sep 4, 2024
c1c8312
Fix a bunch of todos
sandhose Sep 16, 2024
05748a2
Fix typos
sandhose Sep 16, 2024
1034122
Fix the response_mode being an authorization request parameter
sandhose Sep 17, 2024
4830d47
Apply suggestions from code review
sandhose Sep 17, 2024
f84428f
Remove unused images
sandhose Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
192 changes: 192 additions & 0 deletions proposals/2964-oauth2-profile.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
# MSC2964: Delegation of auth from homeserver to OIDC Provider

The current authentication mechanisms in Matrix looks a lot like OAuth 2.0 without most of its security hardening mechanisms.

This MSC is part of an architectural change to replace the existing Matrix authentication mechanisms with OAuth 2.0. A fundamental change is that access tokens will no longer be issued by the homeserver and instead will be issued by an auth server (OIDC Provider) directly to the Matrix client.

This MSC in particular defines how clients should authenticate with the OIDC Provider to obtain the access token used to access the Matrix Client-to-Server API.

## Proposal

### Terminology

**OAuth 2.0** is an authentication framework. Authentication systems are built on top of OAuth2. It is based on numerous RFCs by the IETF.
hughns marked this conversation as resolved.
Show resolved Hide resolved

**OpenID Connect** is a set of specifications defining a standard auth system built on top of OAuth2. Often abbreviated OIDC. Specs to know about: OIDC Core defines the actual auth system, OIDC Discovery defines the discovery of OP metadata, OIDC Registration allows clients to register themselves dynamically.

An **Authorization/Authentication Server** (AS - as this acronym is already used to refer to Application Service in Matrix we will avoid it) or **OIDC Provider** (OP) in the context of OIDC is the service that fulfills an authentication request. In the context of Matrix, it is either the homeserver itself acting as the OP or an external one like Keycloak, Auth0, etc.
hughns marked this conversation as resolved.
Show resolved Hide resolved

A **Resource Server** (RS) is a protected service that requires authentication. In the context of Matrix, the homeserver is a RS.

A **Resource Owner** (RO) is an end user.

A **Relying Party** (RP) (client applications) is an app using resources from RS on behalf of the RO. In the context of Matrix, Matrix clients like Element Web are RPs.

A **User-Agent** (UA) is a thing that hosts client applications, like a web browser.

### Assumptions and existing specifications

This change assumes the client (RP) knows what OIDC Provider (OP) it should use.
The OP discovery is defined in [MSC2965](https://github.com/matrix-org/matrix-doc/pull/2965).

It also assumes the client (RP) is already known by the OIDC Provider (OP).
The client registration process is defined in [MSC2966](https://github.com/matrix-org/matrix-doc/pull/2966).

The goal of this MSC is not to explain how OAuth 2.0 works but rather what mechanisms of OAuth 2.0 RP and OP are expected to implement.
This is done to ensure interoperability between Matrix clients and Homeservers while ensuring that the login flow is secure.

### Client profiles

#### Native and browser-based clients

This client type applies to clients that are running directly on the user-agent.
These clients are either browser-based or are capable of interacting with a separate web browser to have the user interact with the authentication server.

Those clients must use the authorization code flow by directing the user to the authorization endpoint to obtain authorization.
After the user authenticated and authorized the client, the user's web browser is redirected to a URI hosted by the client with an authorization code.
The client then exchanges the authorization code to obtain an access token using the token endpoint.

Those clients are public and therefore must use [PKCE](https://tools.ietf.org/html/rfc7636) with the S256 code challenge mechanism.

The authorization must issue refresh tokens for those type of clients if requested by them.

#### Server-based clients

This client type applies to hosted clients.
These clients must be capable to redirect the user to have them interact with the authentication server.

As with native and public browser-based clients, they must use the authorization code flow to obtain authorization.
Those clients are confidential and must authenticate their requests to the authorization server with their client credentials.

The authorization must issue refresh tokens for those type of clients if requested by them.

#### TBD

Restricted input clients like TVs might use the [Device Authorization Grant](https://tools.ietf.org/html/rfc8628).
CLI tools might use the [Client Credentials Grant](https://tools.ietf.org/html/rfc6749#section-4.4).

The details of those are still TBD.

### Requests to the authorization endpoint

When making a request to the authorization endpoint, clients must provide an unpredicatble value for the `state` parameter and validate it when returning to the redirect URI.
They must ensure the `state` value is securely tied to the current session.

The redirect URIs used by the clients must match exactly with the ones registered to prevent open redirection attaks.
The full redirect URI must be included in the authorization request.

The client might include a login hint to what MXID the user is trying to use.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So far the spec only requires a username on login and /login then returns the MXID. At work we actually utilize this so that the login username has nothing to do with the MXID you have in the end.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to see some more info on what a "login hint to what MXID" is. Can that be the username or does it have to be the mxid? Does the client now have to do the mxid mapping, that so far was pretty much implementation defined?

Copy link
Contributor

@zecakeh zecakeh Aug 11, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understood correctly, like the name suggests, it's only a hint, to avoid the user having to enter their MXID/username several times.

For example, with a client you would have these steps:

  1. The user enters a MXID in the client to login.
  2. The client discovers the homeserver from the MXID, according to the spec. While doing that it also sees that the homeserver supports OIDC.
  3. The client directs the user to the OIDC auth server, and inserts in the request the MXID that the user entered as a login hint.
  4. The user opens the login page on the auth server, and the username field is pre-filled according to the MXID that was provided.

In no way it should limit the choice of username for the user, or force the auth server or homeserver to use it. That's what I understand of the intentions for that field from the OIDC spec anyway.

Although ultimately the auth server is free to do whatever it pleases and might also ignore this parameter altogether.

I would guess it's also up to the auth server and homeserver to decide if the username used for authentication matches the one in the MXID. Irc, it's already the case in Synapse's OIDC config where one can chose to map the username from the auth server to anything else.

To get the final MXID, the client needs to call the homeserver's GET /whoami endpoint with the access token that was obtained during auth.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, often clients actually use separate fields for server and username (or the server is even preconfigured). Users then just enter "FirstName LastName", so would that be an acceptible login hint or does it have to be an mxid?


The scopes the client can request are defined in [MSC2967](https://github.com/matrix-org/matrix-doc/pull/2967).

Sample authorization request:

```
https://account.example.com/oauth2/auth?
client_id = s6BhdRkqt3 &
response_type = code &
redirect_uri = https://app.example.com/oauth2-callback &
scope = openid urn:matrix:* &
state = ewubooN9weezeewah9fol4oothohroh3 &
nonce = aazeiD3ahmai6ui9eiveiphochoyaewi &
login_hint = mxid:@john:example.com &
code_challenge = 72xySjpngTcCxgbPfFmkPHjMvVDl2jW1aWP7-J6rmwU &
code_challenge_method = S256
```

### Requests to the token endpoint

When exchanging the `code`, clients must include their `client_id` and the `redirect_uri` they used for the initial request.
The server must verify they match for this `code`.

If PKCE was used in the authorization request (required for public client), the client must include the `code_verifier` and the server must validate it.

If the client is confidential, it must authenticate by including its `client_secret`.

TBD: should confidential clients use [JWT assertions](https://tools.ietf.org/html/rfc7523#section-2.2) instead?

```
POST /oauth2/token HTTP/1.1
Host: account.example.com
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=authorization_code
&code=iuB7Eiz9heengah1joh2ioy9ahChuP6R
&redirect_uri=https%3A%2F%2Fapp.element.io%2Foauth2-callback
&client_id=s6BhdRkqt3
&code_verifier=ogie4iVaeteeKeeLaid0aizuimairaCh
```

```json
{
"access_token": "2YotnFZFEjr1zCsicMWpAA",
"token_type": "Bearer",
"expires_in": 299,
"refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
"scope": "openid urn:matrix:api:*",
"id_token": "..."
}
```

The access token must be short-lived and should be refreshed using the `refresh_token` when expired.

### Existing authentication types equivalence

The current authentication mechanism can have multiple stages allowing to ask users to perform certains actions.
This includes:

- social login (`m.login.sso`), with multiple providers ([MSC2858](https://github.com/matrix-org/matrix-doc/pull/2858))
- complete a CAPTCHA (`m.login.recaptcha`)
- agree to terms of services and privacy policies (`m.login.terms`, [MSC1692](https://github.com/matrix-org/matrix-doc/pull/1692))
- TOTP/2FA (`m.login.totp`, [MSC2271](https://github.com/matrix-org/matrix-doc/pull/2271))

All of this can be done by the authentication server without any modification to the specification.

### Replacement of UIA

Some API endpoints use User-Interactive Authentication to perform some higher-privileged operations, like deleting a device or adding a 3PID.
An equivalent behaviour can be achieved by temporarily upgrade the client authorization with additional scopes.

Whenever the client ask for a token (either with a refresh token or by initiating a authorization code flow) the authentication server returns the list of scopes for which the token is valid.
This helps client track what scopes they currently have access to, and let them upgrade temporarily a token with additional scopes to perform privileged actions.
The authorization server can also downgrade the scopes of a session after a certain time by returning a reduced list of scopes when refreshing the token.
The scope definitions are out of scope of this MSC and are defined in [MSC2967](https://github.com/matrix-org/matrix-doc/pull/2967).
Copy link
Contributor

@ShadowJonathan ShadowJonathan May 16, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't this be replaced with; the client requesting for a seperate token with only the required scope to perform this action, only for it to be dropped (deactivated) immidiately after?

Something about upgrading the same token doesn't sit well with me from a security perspective, it might be a deliberately locked-down token, and/or multiple actions at once could race to upgrade/downgrade the current token.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having a separate token purely for one scope / set of scopes sounds like a really good idea, especially for race condition reasons. Races could be also avoided by introducing state on AS/OP side, but that is quite out of scope of oauth2 specification (if I'm not mistaken)

At the same time, it would make specification compatible with more possible OP implementations.

Making it single use would be easily doable using jti claim on that token.


### User registration

User can register themselves by initiating a authorization code flow with the `prompt=create` parameter as defined in [_Initiating User Registration via OpenID Connect - draft 03_](https://openid.net/specs/openid-connect-prompt-create-1_0.html).

### Logging out

TBD. [OIDC Frontchannel logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html) might be helpful.

## Potential issues

There are still many open questions that need to be adressed in future MSCs.
This includes:

- using OAuth 2.0 to authenticate application services
- account management, including active session management
- interactions with widgets and integrations
- 3PID logins
- guest logins

The current authentication mechanism will be deprecated later on, but a migration period where the two authentication mechanisms cohabit needs to exist.
This is doable in clients but harder to do in servers.
One requirement for a smooth migration is to adopt [MSC2918](https://github.com/matrix-org/matrix-doc/pull/2918).
The migration path and the deprecation of the current APIs will be done in a separate MSC.

## Alternatives

None relevant.
hughns marked this conversation as resolved.
Show resolved Hide resolved

## Security considerations

Since this touches one of the most sensitive part of the API, there a lot of security considerations to have.
The [OAuth 2.0 Security Best Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16) IETF draft has many attack scenarios.
Many of those scenarios are mitigated by the choices enforced in the client profiles outlined in this MSC.

## Unstable prefix

None relevant.