Skip to content

Commit 5990d98

Browse files
turt2liveturt2live
authored
Merge pull request #2611 from matrix-org/rav/proposal-remove-token-auth-type
MSC2611: Remove `m.login.token` User-Interactive Authentication type from the specification
2 parents 53e2b99 + 1e04948 commit 5990d98

File tree

1 file changed

+40
-0
lines changed

1 file changed

+40
-0
lines changed

proposals/2611-remove-login-auth-type.md

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
# MSC2611: Remove `m.login.token` User-Interactive Authentication type from the specification
2+
3+
The client-server API specification
4+
[defines](https://matrix.org/docs/spec/client_server/r0.6.1#authentication-types)
5+
a number of "authentication types" for use with the User-Interactive
6+
Authentication protocol.
7+
8+
Of these, `m.login.token` is unused and confusing. This MSC proposes removing it.
9+
10+
## Proposal
11+
12+
The definition of
13+
[token-based](https://matrix.org/docs/spec/client_server/r0.6.1#token-based)
14+
authentication is unclear about how this authentication type should be used. It
15+
suggests "via some external service, such as email or SMS", but in practice
16+
those validation mechanisms have their own token-submission mechanisms (for
17+
example, the
18+
`submit_url` field of the responses from
19+
[`/account/password/email/requestToken`](https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-account-password-email-requesttoken)
20+
and
21+
[`/account/password/msisdn/requestToken`](https://matrix.org/docs/spec/client_server/r0.6.1#post-matrix-client-r0-account-password-msisdn-requesttoken)
22+
respectively). Additionally, the specification requires that "the server must
23+
encode the user ID in the token", which seems at odds with any token which can
24+
be sent to a user over SMS.
25+
26+
Additional confusion stems from the presence of an `m.login.token` [login
27+
type](https://matrix.org/docs/spec/client_server/r0.6.1#login), which is used
28+
quite differently: it forms part of the single-sign-on login flow. For clarity:
29+
this proposal does not suggest making any changes to the `m.login.token` login
30+
type.
31+
32+
In practice, we are not aware of any implementations of the `m.login.token`
33+
authentication type, and the inconsistency adds unnecessary confusion to the
34+
specification.
35+
36+
## Potential Issues
37+
38+
It's possible that somebody has found a use for this mechanism. However, that
39+
would necessarily entail some custom development of clients and servers, so is
40+
not materially affected by the removal from the specification.

0 commit comments

Comments
 (0)