-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC4108: Mechanism to allow OIDC sign in and E2EE set up via QR code #4108
base: main
Are you sure you want to change the base?
Conversation
finally, it is no longer just an idea presented at FOSDEM 🥳 |
5cd815f
to
177a2db
Compare
…org/matrix-spec-proposals into element-hq/oidc-qr-login
- An indicator (the **intent**) to say if this is a new device which wishes to "initiate" a login, or an existing device | ||
that wishes to "reciprocate" a login |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I find these terms ("initiate" and "reciprocate") mildly confusing and always have to pause a second to understand which is which. A better pair might be "petition" and "grant"?
Though if these were chosen to align with some prior art elsewhere, it's not that horrible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree that the terms are not ideal. I think I chose them as they are used elsewhere in the Client-Server API specification. I'm not sure "petition" and "grant" are better though!
Another way we could describe it is by defining the disposition of the device.
So, the "initiator" could become the "un-authenticated device". And the "reciprocator" could become the "authenticated device"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a device, the unauthenticated one, "wishes" to login and the other, authenticated, one "grants" it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a device, the unauthenticated one, "wishes" to login and the other, authenticated, one "grants" it.
This "grants" terminology clashes with OIDC.
In OIDC the OIDC Provider "grants" access after the user has "consented".
Specifically, the device doesn't have the authority to grant access. Only the OIDC Provider.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about `which wishes to login, or an existing device that wishes to open for a login" then?
This commits adds a Elliptic Curve Encryption Scheme, this scheme can be used in ephemeral situations where a full 3DH-based Olm session might be overkill or too hard to set up. The canonical example where this can be used is the QR code login feature in Matrix[1]. Co-authored-by: Denis Kasak <dkasak@termina.org.uk> Co-authored-by: Hugh Nimmo-Smith <hughns@users.noreply.github.com> [1]: matrix-org/matrix-spec-proposals#4108
This commits adds a Elliptic Curve Encryption Scheme, this scheme can be used in ephemeral situations where a full 3DH-based Olm session might be overkill or too hard to set up. The canonical example where this can be used is the QR code login feature in Matrix[1]. Co-authored-by: Denis Kasak <dkasak@termina.org.uk> Co-authored-by: Hugh Nimmo-Smith <hughns@users.noreply.github.com> [1]: matrix-org/matrix-spec-proposals#4108
Co-authored-by: Damir Jelić <poljar@termina.org.uk>
This implements one part of MSC4108[1], it implements the case where the new device scans the QR code. [1]: matrix-org/matrix-spec-proposals#4108
This implements one part of MSC4108[1], it implements the case where the new device scans the QR code. [1]: matrix-org/matrix-spec-proposals#4108
Co-authored-by: Damir Jelić <poljar@termina.org.uk>
# Synapse 1.109.0 (2024-06-18) - Add the ability to auto-accept invites on the behalf of users. See the [`auto_accept_invites`](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#auto-accept-invites) config option for details. ([\#17147](element-hq/synapse#17147)) - Add experimental [MSC3575](matrix-org/matrix-spec-proposals#3575) Sliding Sync `/sync/e2ee` endpoint for to-device messages and device encryption info. ([\#17167](element-hq/synapse#17167)) - Support [MSC3916](matrix-org/matrix-spec-proposals#3916) by adding unstable media endpoints to `/_matrix/client`. ([\#17213](element-hq/synapse#17213)) - Add logging to tasks managed by the task scheduler, showing CPU and database usage. ([\#17219](element-hq/synapse#17219)) # Synapse 1.108.0 (2024-05-28) - Add a feature that allows clients to query the configured federation whitelist. Disabled by default. ([\#16848](element-hq/synapse#16848), [\#17199](element-hq/synapse#17199)) - Add the ability to allow numeric user IDs with a specific prefix when in the CAS flow. Contributed by Aurélien Grimpard. ([\#17098](element-hq/synapse#17098)) Synapse 1.107.0 (2024-05-14) - Add preliminary support for [MSC3823: Account Suspension](matrix-org/matrix-spec-proposals#3823). ([\#17051](element-hq/synapse#17051)) - Declare support for [Matrix v1.10](https://matrix.org/blog/2024/03/22/matrix-v1.10-release/). Contributed by @clokep. ([\#17082](element-hq/synapse#17082)) - Add support for [MSC4115: membership metadata on events](matrix-org/matrix-spec-proposals#4115). ([\#17104](element-hq/synapse#17104), [\#17137](element-hq/synapse#17137)) # Synapse 1.106.0 (2024-04-30) - Send an email if the address is already bound to an user account. ([\#16819](element-hq/synapse#16819)) - Implement the rendezvous mechanism described by [MSC4108](matrix-org/matrix-spec-proposals#4108). ([\#17056](element-hq/synapse#17056)) - Support delegating the rendezvous mechanism described [MSC4108](matrix-org/matrix-spec-proposals#4108) to an external implementation. ([\#17086](element-hq/synapse#17086))
Co-authored-by: Denis Kasak <dkasak@termina.org.uk>
…main) to fix QR code login Related to matrix-org/matrix-spec-proposals#4108
Btw can we get the inverse option too? Logging into the desktop/web client through QR on mobile, similar to Whatsapp Web or Discord log in. |
Yes, this proposal allows for this flow too. 👍 |
…tication Service is enabled Related to 8a6b822 Related to matrix-org/matrix-spec-proposals#4108 Potential (unconfirmed) fix for #3749
this MSC allows for logging in and verifying a device with a qr code, but as it's known for some time now, qr codes present significant challenges to visually impaired people, who can't see the portion of the screen the qr code is in to scan it, because most assistive technologies aren't advanced enough for that. So then, what about visually impaired people who also want a quicker login flow? Here's a proposal I thought of, based on what other apps do about this, like whatsapp for example:
There are two more interesting alternatives I thought of, which may or may not be of more use:
What do you think, would any of this be possible at all? true, we can login normally, by specifying a homeserver, being redirected to the oidc provider and going through all that stuff, but just because we can't scan the qr code, we shouldn't be barred from this kind of quick login. So then, let's see if we can make matrix more accessible, from the roots rather than relying on the clients to implement something nonstandard, if at all |
Some first thoughts on @albertotirla's proposals, from a random matrix user just watching the PR out of curiosity: Proposal 1This proposal might prevent QR code login from being used in the common usecase of wanting to use your logged-in smartphone/tablet to quickly login a device without a camera, such most desktop (and probably some laptop) pcs. A PC at work or school, for example. An authentication code of format Edit Addendum: Maybe pass-phrases would be preferable to numeric auth codes? Though if relying on the user manually entering codes, the expiry must be generous enough to not be a major hindrance, even if the user is somehow slowed. (Also, I really hope any login is exclusively done over secured channels, such as HTTPS.) Proposal 2The sound code login idea sounds interesting, but also unsuitable as a default(-ish) login method. It might be promising as an optional alternative to QR code login. In many scenarios intentionally causing noise is not desirable or socially acceptable. I suspect the sounds generated might not be pleasant for humans and that many potential client devices do not have any attached microphones (or speakers). Even some smartphones intentionally do not have a built-in microphone, or have microphone access restricted. Additionally, depending on where you are, unauthorized recording of sound-encoded authentication codes might be easier than being in a position to repliably scan a displayed QR code on a target's device. Proposal 3NFC-driven login sounds interesting, but has the restriction of likely being limited to smartphone-to-smartphone login, which cripples it's real-world usefulness. NFC chips are only common in smartphones, to the best of my knowledge, and I currently do not see any trend to add them to many other potential matrix client devices. |
ok, so let's address this in order. I'll focus more on your issues with proposal 1, however perhaps it will be nice to modify this spec to have a pretty much plugginable architecture for how the code is generated, because it's the same information anyway
The other methods aren't very important, but quickly about the sound one
|
A requirement of this proposal is that the QR code needs to contain 1) a 32-byte Curve25519 public key 2) the URL of the rendezvous server session. This makes the proposal to turn it into a short numeric code a non-starter. (Also note that the standard way of commenting on MSCs is by using the |
for the first issue, it could be relatively simple to fix
Anyone any other ideas though? I'm trying to come up with a scheme for us to also be able to use this kind of login, but surely I might be missing some idea which is better, after all whatsapp used a similar method and it works for them, perhaps we should simplify our flows? For the second, I thought that might be the case, and github isn't accessible enough to be able to comment on multiple lines, just one at a time. However, when I asked that in a matrix room, I'll leave the name of that room out to not incriminate people who don't want to be incriminated, people told me to do it this way, because I didn't know on what line to put the comment. Either way, I'll know for the future, in case there's an actual line to comment on |
so, given all the feedback in the previous comments, and also due to a friend of mine who gave me an idea, I think I have a better grasp of what we would need to make this work
If this is to be deemed acceptable for most people here, I recommend we make it so that we can't find ourselves in the situation where one client only implements morse code, another only qr and then it's users who suffer. So, I think clients who implement the qr flow should be required by the spec to also implement the morse code for accessibility reasons, but those who implement only morse code don't have to also implement qr code, because anyone can still use the morse code login flow even if they can see to scan a qr code. Is this a better idea? perhaps it's time we try something out and see if it could work, are there issues I overlooked? or maybe, who knows, is it worse than those which came before it? |
The spec isn't law. Even if the spec said implementations supporting QR code also need to support audio code login, I think neither the spec nor servers reasonably can (or should) enforce that rule. And if I understand correctly, one of the goals of moving auth away into MAS and using OIDC is to make implementing compliant clients easier. So if the audio login method is going to, at most, be an (optional) alternative to QR code login anyways, I feel like discussions on that probably shouldn't derail discussion/progress on this QR code login MSC. I've said my two cents, so I'll stay out of the discussion from here on. 🙂 |
yeah, people told me throughout today to make a new MSC for this, which is what I will do soon enough, not sure on specific details unfortunately. So yeah, for the other people beside me who want quick login to be accessible to everyone, and especially if you think the morse code idea has some merit to it, stay tuned! |
Rendered
Dependencies:
Implementations:
Video demo: