MSC4191: Account management for OAuth 2.0 API

[sandhose]

Rendered

Implementions:

• Server
  • Synapse via matrix-authentication-service
    • Exposes account_management_uri and account_management_actions_supported values in metadata. e.g. https://matrix-client.matrix.org/_matrix/client/v1/auth_metadata
    • Provides a UX at the advertised URIs with support for the action and device_id parameters
• Clients
  • Element Web
    • Supported actions include: org.matrix.session_end
  • Element X
    • Supported actions include: org.matrix.profile, org.matrix.sessions_list

To do:

• Update references to MSC3861 as it has been accepted
• Add clarification about being the replacement for delete devices API endpoints when using OAuth 2.0 API
• Check for consistency with MSC3824

---

In line with matrix-org/matrix-spec#1700, the following disclosure applies:

I am a Software Engineer at Element. This proposal was written and published as an Element employee.

---

SCT Stuff:

FCP tickyboxes

MSC checklist

[turt2live]

@mscbot fcp merge
@mscbot concern Pending preliminary approval from oauth-ext-review to use the new names - https://mailarchive.ietf.org/arch/msg/oauth-ext-review/6RQXusbqFTy-XZCGwLSW-RIa9Dg/

[mscbot]

Team member @mscbot has proposed to merge this. The next step is review by the rest of the tagged people:

• @clokep
• @dbkr
• @uhoreg
• @turt2live
• @ara4n
• @anoadragon453
• @richvdh
• @tulir
• @erikjohnston
• @KitsuneRal

Concerns:

• Pending preliminary approval from oauth-ext-review to use the new names - https://mailarchive.ietf.org/arch/msg/oauth-ext-review/6RQXusbqFTy-XZCGwLSW-RIa9Dg/

Once at least 75% of reviewers approve (and there are no outstanding concerns), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for information about what commands tagged team members can give me.

[turt2live]

MSCs proposed for Final Comment Period (FCP) should meet the requirements outlined in the checklist prior to being accepted into the spec. This checklist is a bit long, but aims to reduce the number of follow-on MSCs after a feature lands.

SCT members: please check off things you check for, and raise a concern against FCP if the checklist is incomplete. If an item doesn't apply, prefer to check it rather than remove it. Unchecking items is encouraged where applicable.

MSC authors: feel free to ask in a thread on your MSC or in the#matrix-spec:matrix.org room for clarification of any of these points.

• Are appropriate implementation(s) specified in the MSC’s PR description?
• Are all MSCs that this MSC depends on already accepted?
• For each new endpoint that is introduced:
  • Have authentication requirements been specified?
  • Have rate-limiting requirements been specified?
  • Have guest access requirements been specified?
  • Are error responses specified?
    • Does each error case have a specified errcode (e.g. M_FORBIDDEN) and HTTP status code?
      • If a new errcode is introduced, is it clear that it is new?
• Will the MSC require a new room version, and if so, has that been made clear?
  • Is the reason for a new room version clearly stated? For example, modifying the set of redacted fields changes how event IDs are calculated, thus requiring a new room version.
• Are backwards-compatibility concerns appropriately addressed?
• Are the endpoint conventions honoured?
  • Do HTTP endpoints use_underscores_like_this?
  • Will the endpoint return unbounded data? If so, has pagination been considered?
  • If the endpoint utilises pagination, is it consistent with the appendices?
• An introduction exists and clearly outlines the problem being solved. Ideally, the first paragraph should be understandable by a non-technical audience.
• All outstanding threads are resolved
  • All feedback is incorporated into the proposal text itself, either as a fix or noted as an alternative
• While the exact sections do not need to be present, the details implied by the proposal template are covered. Namely:
  • Introduction
  • Proposal text
  • Potential issues
  • Alternatives
  • Dependencies
• Stable identifiers are used throughout the proposal, except for the unstable prefix section
  • Unstable prefixes consider the awkward accepted-but-not-merged state
  • Chosen unstable prefixes do not pollute any global namespace (use “org.matrix.mscXXXX”, not “org.matrix”).
• Changes have applicable Sign Off from all authors/editors/contributors
• There is a dedicated "Security Considerations" section which detail any possible attacks/vulnerabilities this proposal may introduce, even if this is "None.". See RFC3552 for things to think about, but in particular pay attention to the OWASP Top Ten.

[clokep]

Why session and not device to match current terminology?

[hughns]

I believe the original rationale for this is that OAuth 2.0 refers to sessions, whereas devices is a Matrix concept.

@sandhose can you provide any other context on this?

[hughns]

@sandhose has said that originally these values didn't have a org.matrix prefix and it felt right to use the OAuth terminology of sessions.

However, now that these values are prefixed it does seem entirely reasonable to revisit them and give them names that make sense for Matrix.

How about:

• org.matrix.devices_list
• org.matrix.device_view
• org.matrix.device_delete (delete doesn't feel quite right, but I can't think of anything better right now)

Given that these are just value renames rather than anything semantic, could they be adjusted later in the spec process rather than requiring the implementations to be updated prior to FCP?

[clokep]

That would be fine, yes.

[hughns]

I've updated the values in 9e1fbf5 and left this thread unresolved to reflect that the implementation in MAS is using the non-stable values.

[tonkku107]

org.matrix.session_end was renamed to org.matrix.device_delete but the rest of the proposal didn't follow