MSC2063: Add "server information" public API proposal #2063
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Mentioned in the text is #1929 . |
|
Signed-off-by: Peter Gervai [email protected] |
|
I support this change because we need it! |
KitsuneRal
requested changes
Jun 2, 2019
KitsuneRal
reviewed
Jun 4, 2019
proposals/2063-serverinfo.md
Outdated
| "server_data": { | ||
| "m.open_registrations": true, | ||
| "m.uptime": 63072000, | ||
| "m.registered_users": 4, |
There was a problem hiding this comment.
This is almost perfect; but it'd be probably better to further distinguish between statistics/status information (uptime and the number of users) and configuration/settings information (open registrations). I don't know if it's worth it to introduce a separate /server_config endpoint just for a single boolean value - probably overengineering here. It would be great to have other opinions on this.
There was a problem hiding this comment.
How about
{
"server_data": {
"settings": {
"m.open_registrations": true
},
"statistics" : {
"m.uptime": 63072000,
"m.registered_users": 4
}
}
}Processing a json and ignoring unnecessary fields is probably painless enough that it doesn't justify creating any more complexity.
I guess someone shall come up with a real justification to separate them even this way though, or maybe it's good for "visibility" or "mental separation"?
There was a problem hiding this comment.
I'd rather use two separate endpoints. The reason is that open registrations may (I can imagine that in theory at least) be configurable using some administration API. What I mean to say is that generally configuration is, at least in theory, read/write depending on your access credentials, while statistics are produced by the servers and cannot be tweaked even in theory. But probably let's validate it in the Matrix room.
There was a problem hiding this comment.
Should be pointed out that open_registrations is not something federation should care about. It should be reported by a client API.
There was a problem hiding this comment.
tbh I think it's fine to expose health/metadata/metrics at the federation level for this, mostly because there's a discovery function that server lists can use to query the data.
|
Syncing here comment on MSC1929 regarding this, that MSC and ServerInfo. |
jaywink
reviewed
Jul 20, 2019
proposals/2063-serverinfo.md
Outdated
| { | ||
| "server_data": { | ||
| "m.open_registrations": true, | ||
| "m.uptime": 63072000, |
There was a problem hiding this comment.
I'm wondering what usefulness the uptime actually has? If it is small, it could be "they updated recently == good" or "they're in a crash loop doing constant OOM == bad". If it is big it could be either "it's stable" or "it's not being maintained". I don't know what would be better though, just wondering whether it is good to include numbers that don't really have any particular purpose. This feels more something that should live in the /metrics endpoint for prometheus.
There was a problem hiding this comment.
include numbers that don't really have any particular purpose.
If you do not need it doesn't mean nobody else does. I could describe how it's useful but really, I believe that "it is useful for some people" should be enough to justify.
This feels more something that should live in the /metrics endpoint for prometheus.
This is a public endpoint, in contrast to prometheus. The primary point is to provide data for automated public server lists.
There was a problem hiding this comment.
tbh the first thing I'd disable is uptime: there's no metric that can be pulled from it which helps users with anything. How does uptime apply to a worker or multi-process homeserver for instance?
There was a problem hiding this comment.
How does uptime apply to a worker or multi-process homeserver for instance?
From the users viewpoint a service is "UP" when it's working. :-)
(As a user I would not pick a server with a constant less than a few days uptime, since it's either keep restarting or crashing, but that's me.)
But maybe you're right that it should be externally measured [icmp/api calls] instead of relying on the server.
|
The fediverse Aggregator site for example expects to display the following stats for nodes:
|
Signed-off-by: Alexandre Franke <[email protected]>
Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Hubert Chathi <[email protected]> Co-authored-by: Travis Ralston <[email protected]>
Signed-off-by: Alexandre Franke <[email protected]> Co-authored-by: Alexandre Franke <[email protected]>
* Add HTTP 403 to possible profile responses
Some servers may not allow profile lookup over federation, and thus
respond to GET /_matrix/client/v3/profile/{userId} with an HTTP 403.
For example, Synapse can be configured to behave in this way by setting:
allow_profile_lookup_over_federation=false
Thus, this behavior already exists in the wild, and may cause issues for
clients such as element-hq/element-web#17269.
Synapse could alter its behavior and return an HTTP 404 in these cases,
but amending the Spec seems preferable to align with extant behavior.
Further, allowing HTTP 403 gives clients more specific information as to
why a request has failed, enabling more precise error handling.
Signed-off-by: Dan Callahan <[email protected]>
* Update changelogs/client_server/newsfragments/3530.clarification
Co-authored-by: Travis Ralston <[email protected]>
* Annotate misc data about error
Co-authored-by: Travis Ralston <[email protected]>
Co-authored-by: Travis Ralston <[email protected]>
Without the vertical lines it's a bit difficult to parse. A different tool was used to generate the graph this time.
* Avoid use of the word "clobber" Fixes matrix-org#1328 * changelog
* Copy spec PR near-verbatim from past PR With light review being addressed. matrix-org#3168 * Alter for modern day * Add changelog * specify that we're using the grammar
…g#2781) * MSC2781: Down with the fallbacks Signed-off-by: Nicolas Werner <[email protected]> * Add a note about dropping the html requirement Signed-off-by: Nicolas Werner <[email protected]> * Add an unstable prefix for removed fallbacks. Signed-off-by: Nicolas Werner <[email protected]> * Add a section about fallbacks not being properly specified. Signed-off-by: Nicolas Werner <[email protected]> * Add appendix about which clients do not support replies (and why, if possible) Signed-off-by: Nicolas Werner <[email protected]> * Correct weechat status Signed-off-by: Nicolas Werner <[email protected]> * Add another alternative Signed-off-by: Nicolas Werner <[email protected]> * Document a few more issues with fallbacks Signed-off-by: Nicolas Werner <[email protected]> * Update client status, remove proposal for edits and try to turn down the language a bit Signed-off-by: Nicolas Werner <[email protected]> * Remove mistaken reference to the Qt renderer Signed-off-by: Nicolas Werner <[email protected]> * Try to make motivation a bit clearer in the proposal Signed-off-by: Nicolas Werner <[email protected]> * How do anchors work? Signed-off-by: Nicolas Werner <[email protected]> * Drop reference to issues with edit fallbacks Signed-off-by: Nicolas Werner <[email protected]> * Typos Signed-off-by: Nicolas Werner <[email protected]> * Address review comments Signed-off-by: Nicolas Werner <[email protected]> * More edits Move edit section to a single sentence in "interaction with other features". Spell out why the IRC example is there. Reword body stripping. Signed-off-by: Nicolas Werner <[email protected]> * Implementation traps Signed-off-by: Nicolas Werner <[email protected]> * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> * Add dates to client status list Signed-off-by: Nicolas Werner <[email protected]> * Mention pushrules proposal in the alternatives section Signed-off-by: Nicolas Werner <[email protected]> * Update proposal to 2024 This also addresses several review comments from clokep and Travis. * Be explicit about removal * Apply suggestions from code review Thanks dbkr, richvdh and clokep! Co-authored-by: David Baker <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Patrick Cloke <[email protected]> * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> * Update proposals/2781-down-with-the-fallbacks.md Co-authored-by: Patrick Cloke <[email protected]> * Apply suggestions from code review Co-authored-by: Travis Ralston <[email protected]> Co-authored-by: Andrew Morgan <[email protected]> * Simplify wording around invalid html and potential issues Signed-off-by: Nicolas Werner <[email protected]> --------- Signed-off-by: Nicolas Werner <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: David Baker <[email protected]> Co-authored-by: Patrick Cloke <[email protected]> Co-authored-by: Travis Ralston <[email protected]> Co-authored-by: Andrew Morgan <[email protected]>
* MSC: A code for account suspension Signed-off-by: David Teller <[email protected]> * WIP: Adding prefix * Update proposals/3823-code-for-account-suspension.md Co-authored-by: Travis Ralston <[email protected]> * Apply suggestions from code review Co-authored-by: Dirk Klimpel <[email protected]> * Update for latest requirements * Add list of permitted/forbidden actions * Remove `href` from error code - this will be handled in a later MSC * Match modern template * Clarify MSC * Clarify differences in locking vs suspension, and future scope --------- Signed-off-by: David Teller <[email protected]> Co-authored-by: Travis Ralston <[email protected]> Co-authored-by: Dirk Klimpel <[email protected]> Co-authored-by: Travis Ralston <[email protected]>
…ssued (matrix-org#4225) * Initial proposal * edits * typos * Add impl note about dropping old keys
Signed-off-by: Johannes Marbach <[email protected]>
* MSC: Room version 11 as the default room version * s
…4133) * Extended profile fields * Unstable client features * Clarification on limits * Warning about avatar_url and displayname limits * Error code clarification * Whitespace fixes * Adjusted size limits * Clarified Canonical JSON * Clarifications * Clarifications * Remove UTF-16 * Clarify key persistence * Out of date line * Clarify only `u.*` namespace is limited to 512 bytes * Include read-only fields in capability * Change missing capability behaviour * Typo correction * Privacy clarification for T&S * Consolidation and rewrite * Whitespace fix * Safety and security updates * Clarify servers can hide fields * References to MSC4201 and MSC4202 * Clarify redacted `m.room.member` events * Error codes and redundant instructions * Removing custom fields * Typo fix * Clarifications and readability * Correct key length error to match common grammar limit * Remove PATCH/PUT. * Removed redundant sections after `PUT` and `PATCH` methods removed * Re-add client feature for managing profile fields * Update proposals/4133-extended-profiles.md Co-authored-by: Travis Ralston <[email protected]> * Clarify 403 error scenarios * Add section on caching behaviour under S-S API * Link to Canonical JSON in current spec * Cut down instructions for clients on when to display content from federated users. * Revert c82dab6 * Clarify caching and freshness challenges * Adjust abuse section * Authentication/rate-limiting/guest access requirements * Un-revert accidental revert of af87bbe * Simplify caching recommendations * Up to clients whether they check capability Co-authored-by: Richard van der Hoff <[email protected]> * Technically correct is the best kind of correct Co-authored-by: Richard van der Hoff <[email protected]> * Link to current federation profile endpoint Co-authored-by: Richard van der Hoff <[email protected]> * Mention check for spec version when using profile fields Co-authored-by: Richard van der Hoff <[email protected]> * Attempt to clarify what servers should not enforce about key naming * Fix line wrapping after 9b2918e * Add `M_MISSING_PARAM` error * Clarify where errors apply * Clarify optional ability to not always federate every field * Fix inconsistent line wrapping * Offer suggestions for hiding extended fields when member event redacted Co-authored-by: Andrew Morgan <[email protected]> * Fix wrapping length of one line --------- Co-authored-by: Patrick Cloke <[email protected]> Co-authored-by: Travis Ralston <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Andrew Morgan <[email protected]>
…4183) * MSC4180: Additional Error Codes for submitToken endpoint * Bah, markdown * Line wrapping * Typos * Right MSC number Co-authored-by: Johannes Marbach <[email protected]> * Rename * Add http status code * Apply suggestions from code review Spelling / grammar fixes Co-authored-by: Andrew Morgan <[email protected]> * Word wrap * Clearer wording * clarify * Clarify * Add note about not reusing error code * Clarify that we're taking about the submittoken api in requestToken * spelling * Clearer wording Co-authored-by: Richard van der Hoff <[email protected]> * Add note on POST email submitToken api and how it isn't really a thing in practice * Hopefully make more clearer * Apply same change to other submitToken endpoints ...from the other requestToken enpoints Also try to further clarify the note about the largely unused POST email submitToken * Remove stray lines, more clarifications & consistency fix * clarify only c/s api Co-authored-by: Richard van der Hoff <[email protected]> * Typos & clarity Co-authored-by: Richard van der Hoff <[email protected]> * Clarify --------- Co-authored-by: Johannes Marbach <[email protected]> Co-authored-by: Andrew Morgan <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]>
* Add rich room topic MSC Signed-off-by: Johannes Marbach <[email protected]> * Rename to reflect propper MSC number * Fix typo * Explain why m.topic is kept separate from m.message * Use json5 for formatting code snippet Co-authored-by: Travis Ralston <[email protected]> * Remove unneeded unstable room version * Adapt to latest version of MSC1767 * Add paragraph about preventing formatting abuse * Introduce wrapping m.topic content block (matrix-org#4111) * Clarify the case of HTML-only topics and transition logic (matrix-org#4112) * Clarify and simplify transition logic * Clarify the case of HTML-only topics * Make it more explicit that m.topic replaces m.room.topic without deprecation (matrix-org#4181) * Remove line-based formatting logic and limit length of topics (matrix-org#4182) * Update MSC3765: Rich text in room topics (matrix-org#4215) Updates MSC from feedback, * Accept suggestion Co-authored-by: Johannes Marbach <[email protected]> * Clarify length / display limits. Co-authored-by: Johannes Marbach <[email protected]> * Apply clarifications from author Co-authored-by: Johannes Marbach <[email protected]> * Make MSC3765 independent of extensible events and new room versions (matrix-org#4240) * Apply suggestions from code review * Update proposals/3765-rich-room-topics.md Co-authored-by: Johannes Marbach <[email protected]> * Properly explain why the m.topic content block is needed (matrix-org#4251) * Apply suggestions from code review Co-authored-by: Johannes Marbach <[email protected]> --------- Signed-off-by: Johannes Marbach <[email protected]> Co-authored-by: Travis Ralston <[email protected]> Co-authored-by: David Baker <[email protected]> Co-authored-by: Patrick Cloke <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]>
* MSC: Reporting users (Client-Server API) * Add guest access requirements * Add examples; fix reason * Clarify that reports don't transit federation, but can still be received
* Room summary proposal Signed-off-by: Nicolas Werner <[email protected]> * Remove alias resolution step from the federation API * Reference matrix-org#688 in the alternatives section Signed-off-by: Nicolas Werner <[email protected]> * Remove `is_direct` from response Signed-off-by: Nicolas Werner <[email protected]> * Fix unstable prefixes for implementations which keep the prefix and rest of the path separate Signed-off-by: Nicolas Werner <[email protected]> * Add allowed_room_ids field That way the requesting server knows, if any user would have access to that room and it can forward the room to the user. Signed-off-by: Nicolas Werner <[email protected]> * Extend rationale for additional fields to reference MSC2946 Also explain that membership is already accessible information. Signed-off-by: Nicolas Werner <[email protected]> * Add bulk API as an alternative Signed-off-by: Nicolas Werner <[email protected]> * Remove federation API and address feedback - Add some additional rationale to some things. - Federation API now reuses MSC 2946 - roomid -> roomId - Move it out of /rooms, because it allows using an alias Signed-off-by: Nicolas Werner <[email protected]> * fix prefixes again * Remove extensions to federation API since that MSC is amended now Signed-off-by: Nicolas Werner <[email protected]> * Fix minor inaccuracy about the spaces sumary api * Add encryption field back * Add room version field Signed-off-by: Nicolas Werner <[email protected]> * Apply suggestions from code review Co-authored-by: Andrew Morgan <[email protected]> Co-authored-by: Alexey Rusakov <[email protected]> * Add a bit more reasoning * version -> room_version * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> * Try to address review comments Signed-off-by: Nicolas Werner <[email protected]> * Fix incorrect statement about encryption being a bool Signed-off-by: Nicolas Werner <[email protected]> * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> * Split up the big alternatives section * Collapse the same descriptions for publicRooms and hierarchy into one * Shorten the 'accessible' section again * Update proposals/3266-room-summary.md Co-authored-by: Richard van der Hoff <[email protected]> * Update proposals/3266-room-summary.md * Update proposals/3266-room-summary.md Co-authored-by: Alexey Rusakov <[email protected]> * Support knock_restricted rooms and rename to room_summary As well as a few smaller clarifications. * Be more explicit about authentication * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Patrick Cloke <[email protected]> * Fix error codes and missing "Optional" * Also add allowed_room_ids to hierarchy API It suffers from the same knock_restricted issue. * Apply suggestions from code review Co-authored-by: Eric Eastwood <[email protected]> Co-authored-by: Patrick Cloke <[email protected]> * Update spec links * Clarify accessibility rules * Update proposals/3266-room-summary.md Co-authored-by: Richard van der Hoff <[email protected]> * Update proposals/3266-room-summary.md Co-authored-by: Johannes Marbach <[email protected]> * Unauthenticated access is impl-dependent * add to response * Clarify resposnse documentation. * Clarify situation for invited rooms * further clarification about unauth access * Update proposals/3266-room-summary.md Co-authored-by: Johannes Marbach <[email protected]> --------- Signed-off-by: Nicolas Werner <[email protected]> Co-authored-by: Andrew Morgan <[email protected]> Co-authored-by: Alexey Rusakov <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Patrick Cloke <[email protected]> Co-authored-by: Eric Eastwood <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Johannes Marbach <[email protected]>
…g#2965) * OIDC discovery MSC * Add `account` field * Add id_token_hint to account management URL * Add reference to MSC3861 * Add missing heading * Fix reference to MSC3861 * Update proposals/2965-oidc-discovery.md Co-authored-by: Patrick Cloke <[email protected]> * Fix typo * Update 2965-oidc-discovery.md * Update proposals/2965-oidc-discovery.md Co-authored-by: Patrick Cloke <[email protected]> * Update proposals/2965-oidc-discovery.md Co-authored-by: Patrick Cloke <[email protected]> * OIDC Provider -> OpenID Provider * Define account management URL params * Link for account management URLs * MSC2965: move from well-known discovery to a dedicated C-S endpoint * MSC2965: add a note about why the well-known alternative has been discarded * MSC2965: move the account management URL to the provider metadata * MSC2965: line breaks * MSC2965: update note about the account endpoint metadata * Move the /auth_issuer endpoint to the v1 prefix * Add the `org.matrix.cross_signing_reset` action * Typo * Rename MSC * Remove account-related URLs * Mention RFC8414 as alternative * Outline another alternative: publish the metadata through a C-S API * Fix the alternative flow * Publish the auth server metadata through a new C-S API endpoint This removes the depdency on OIDC specs * renamed 2965-oidc-discovery.md -> 2965-auth-metadata.md * Clarify auth & rate limiting requirements Co-authored-by: Travis Ralston <[email protected]> * Mention the MSCs using each metadata value * Explain what to do when next-gen auth is not available * Add rationale for not using a .well-known endpoint * Reformat with prettier * Add `issuer` to the required metadata fields * Explain why we don't just use static C-S endpoints * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> * Move the rationale for not using a `.well-known` document to the alternatives section. * Typo * Clarify why using the .well-known would be confusing Co-authored-by: Richard van der Hoff <[email protected]> * Clarify what 'UIA flows' are exactly Co-authored-by: Richard van der Hoff <[email protected]> --------- Co-authored-by: Hugh Nimmo-Smith <[email protected]> Co-authored-by: Patrick Cloke <[email protected]> Co-authored-by: Travis Ralston <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]>
…atrix-org#4254) * MSC4254: Usage of RFC7009 Token Revocation for Matrix client logout * Clarify how the token_type_hint parameter is used * Clarify what the server should do if the client_id is not provided * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Tonkku <[email protected]> * Explain why we allow revoking without a client_id better * Clarify how this replaces the /logout API * Some non-contentious clarifying bits * s/login/logout/ Co-authored-by: Patrick Cloke <[email protected]> --------- Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Tonkku <[email protected]> Co-authored-by: Andrew Morgan <[email protected]> Co-authored-by: Patrick Cloke <[email protected]>
…trix-org#3861) * Matrix architecture change to delegate authentication via OIDC * MSC3861 * typoe * typoes * typoes * Add proposal for Matrix.org Foundation to become member of OpenID Foundation * Update proposals/3861-delegated-oidc-architecture.md Co-authored-by: greizgh <[email protected]> * Move images inline * Use term OpenID Provider * Add note about extending UIA as alternative * Add reference to related MSCs * Rework the MSC to better explain the rationale for the change * Start writing the actual proposal * Remove unused images * Expand on 'why not just OIDC' and fix some typos * Add note on the history of the proposal * renamed 3861-delegated-oidc-architecture.md -> 3861-next-generation-auth.md * Define token revocation through MSC4254 & add sample flow * Use the new version of MSC2965 * List a few potential issues * Mention areweoidcyet.com * Apply suggestions from code review Co-authored-by: Travis Ralston <[email protected]> * § about how we keep the ecosystem open * Update the alternatives table to stop mentioning 'OP' * Reword how we mention MSC dependencies that are already in the spec * Reformat with prettier * Make it clearer what proposals are adjacente, write about ASes * Add links about the current C-S API * Add links to the spec * Add links about OIDC and OAuth 2.0 * Clarify what the 'system browser' means * Give an example of a better email verification flow * Typo * Reword what the benefits of using the homeserver's domain name are * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> * Talk more about the implications of scoped access tokens. * Linkify /capabilities * Clarify that the sample flow is non-normative * Explain why we can't 'just use' OpenID Connect better * Explain how currently HS can restrict client used * Clarify what 'UIA APIs' mean in this proposal * Mention that in theory UIA fallbacks also means implementation complexity on the homeserver side. * Clarify that it doesn't have to be the *default* browser * Clarify that I meant /login * Reword around dynamic registration * Reword: /login is not UIA! Co-authored-by: Richard van der Hoff <[email protected]> * Add link for "web-based fallback" Co-authored-by: Richard van der Hoff <[email protected]> * Typo Co-authored-by: Alexey Rusakov <[email protected]> * Reword the browser redirect explanation Co-authored-by: Alexey Rusakov <[email protected]> * Remove easter egg * Better outline the rationale for this MSC Co-Authored-By: Erik Johnston <[email protected]> * Remove the redundant point about 'protecting the user's creds' * Simplify the argument for client registration Co-Authored-By: Richard van der Hoff <[email protected]> Co-Authored-By: Erik Johnston <[email protected]> * Clarify what we aim to deprecate * Typo Co-authored-by: Andrew Morgan <[email protected]> --------- Co-authored-by: Matthew Hodgson <[email protected]> Co-authored-by: greizgh <[email protected]> Co-authored-by: Quentin Gliech <[email protected]> Co-authored-by: Travis Ralston <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Alexey Rusakov <[email protected]> Co-authored-by: Erik Johnston <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Andrew Morgan <[email protected]>
…n grant (matrix-org#2964) * OAuth 2.0 profile MSC * Refer to OP rather than AS to avoid clash with Application Service * Title update and intro about architectural change * Add section on endpoints that would now be outside of scope and so removed * Spelling * Section on proposed endpoints that would no longer be relevant * Consistency with MSC3861 and cleanup * Standardise terminology on OpenID Provider = OP * Update proposals/2964-oauth2-profile.md Co-authored-by: Dominik Henneke <[email protected]> * Notes on QR and browserless * OpenID id_token endpoint is still needed * Notes about confusion with existing OIDC and OpenID capabilities * Additional endpoints to be removed * Add 3pid endpoints that would be removed * Changes to GET /account/3pid * Alternative proposal for 3PID handling * Add section on removing UIA * Refer to UIA as API * We now have proposal for 3PID and guest access * Logout semantics * Remove TBDs that are done * More done items * Remove dependency loop * Rework proposal to only cover the authorization code flow * Fix a bunch of todos * Fix typos * Fix the response_mode being an authorization request parameter * Apply suggestions from code review Co-authored-by: Tonkku <[email protected]> * Remove unused images * Expand the security considerations section * Clarify that using PKCE with *S256* is mandatory * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> * All Matrix clients are public clients, no need to be too specific * Add PAR/RAR in 'alternatives' section * Replace horizontal rules with subsections * Clarify how the client should handle access token refresh failures * Explain why clients should use the fragment response_mode better * Explain the scope better in the example * Clarify that `code_verifier` should be cryptographically random Co-authored-by: Andrew Morgan <[email protected]> * Typo Co-authored-by: Andrew Morgan <[email protected]> --------- Co-authored-by: Hugh Nimmo-Smith <[email protected]> Co-authored-by: Hugh Nimmo-Smith <[email protected]> Co-authored-by: Dominik Henneke <[email protected]> Co-authored-by: Tonkku <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Andrew Morgan <[email protected]>
…trix-org#2966) * OAuth 2.0 Dynamic Registration MSC * contacts is required non-empty * Make client_uri mandatory * Rework MSC - makes some metadata optional - better explain how each metadata field is used - better explain what the restrictions on redirect_uris are - remove the signed metadata part - mention the client metadata JSON document alternative * Mention the `token_endpoint_auth_method` client metadata * Update proposals/2966-oauth2-dynamic-registration.md Co-authored-by: Tonkku <[email protected]> * State that the homeserver should display the tos_uri and policy_uri * Make the wording for the refresh token clearer * Clarify that native callbacks with no slashes are allowed * Give an example where the server ignores an unsupported grant type * Add security considerations * must -> MUST, should -> SHOULD, may -> MAY * Clarify the client should store the client_id * Simplify definition of client_uri, already covered by the RFC * Explain the point of the MSC earlier Co-authored-by: Richard van der Hoff <[email protected]> * Remove empty section * Explicitly state that the client_uri is required * Apply suggestions from code review Co-authored-by: Richard van der Hoff <[email protected]> * Fix the web/native client sub-sub-sub sections * Clarify the localhost port-less redirect URIs * The server should return a 201 on successful registration * Explain better the restrictions on URIs * Allow custom ports in the redirect URI * Client regs won't grow exponentially * Explain how to mitigate the problem of client registrations growing over time. * Add missing metadata in the dynamic registration response * Make 'metadata localization' its own sub-sub-sub-sub-section Co-authored-by: Andrew Morgan <[email protected]> * Server may still deduplicate registrations Co-authored-by: Andrew Morgan <[email protected]> * Suggest different strategies to mitigate the growing number of client registrations * Let the server delete client registrations that have no active sessions * Really, shoud MUST do a new client reg * Make sure the summary doesn't sound authoritative * Put the links at the end of the file * Explain what is Matrix-specific, what is not --------- Co-authored-by: Hugh Nimmo-Smith <[email protected]> Co-authored-by: Tonkku <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Andrew Morgan <[email protected]>
* API Scopes MSC * Proposed insufficient privilege response format * Remove realm as not required * Clarifications + update on latest device management proposal * Revised namespace structure + unstable prefixes * Revise prefix for device ID * Reference to MSC3861 + cleanup * Add scope for guest access and tidy up * No need for UIA scope * Update proposals/2967-api-scopes.md Co-authored-by: Patrick Cloke <[email protected]> * Clarification about encoding of device ID within URN scope * Rework MSC - Remove insufficient privilege response - Remove guest scopes - Reword some parts * Update proposals/2967-api-scopes.md Co-authored-by: Travis Ralston <[email protected]> * Reword as dbkr suggested * Reword how unstable subdivisions are used * Remove confusing sentence * Gather all the links at the bottom of the document * Tyding up, define exactly how device IDs are handled * Don't use a table for a single row * Typo Co-authored-by: David Baker <[email protected]> * Fix math rendering * Fix the math * Minor rewording on device uniqueness Co-authored-by: Richard van der Hoff <[email protected]> * Simplify wording around the ASCII range Co-authored-by: Richard van der Hoff <[email protected]> * Typo Co-authored-by: Richard van der Hoff <[email protected]> * Scope vs scope token is confusing Co-authored-by: Richard van der Hoff <[email protected]> * Reword how the device ID is requested * Explain why we keep the device ID generation on the client * MSCXXXX is a better placeholder Co-authored-by: Andrew Morgan <[email protected]> * The scope MUST have a device ID * Clarify that device IDs are still unique per user Co-authored-by: Patrick Cloke <[email protected]> --------- Co-authored-by: Hugh Nimmo-Smith <[email protected]> Co-authored-by: Patrick Cloke <[email protected]> Co-authored-by: Travis Ralston <[email protected]> Co-authored-by: David Baker <[email protected]> Co-authored-by: Richard van der Hoff <[email protected]> Co-authored-by: Andrew Morgan <[email protected]>
Fix a couple of broken links in the MSC checklist
Now that I know the number.
Better phrasing to distinguish between generic ignore and invite ignore. Server behaviour specified.
Typo fix.
|
The branch this MSC is based upon is in use by another MSC, losing its content. I'm closing this while the branch is in use by another MSC. edit: please feel free to reopen the MSC with a different branch |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
rendered