MSC4127: Removal of query string auth #4127
Conversation
turt2live
changed the title
turt2live
added
proposal
There was a problem hiding this comment.
Implementation requirements:
- None, in my opinion. The MSC is not feasible to implement beyond what has already been described in the proposal itself.
| Query string authentication becomes *removed* from the [Client-Server API](https://spec.matrix.org/v1.10/client-server-api/#using-access-tokens) | ||
| and [Identity Service API](https://spec.matrix.org/v1.10/identity-service-api/#authentication). |
There was a problem hiding this comment.
An issue that Synapse ran into with MSC2832 which removed query parameter auth for app services is that we did not want to drop support for old spec versions, but did want to follow this guidance. (matrix-org/synapse#15379 has some of the discussion.)
We ended up saying Synapse was still compatible with 1.4, but had a configuration flag for re-enabling the old behavior (disabling it by default in the name of secure defaults).
I'm not sure if I have a recommendation, but wanting to be both backwards compatible and secure by default was difficult in this situation. I guess one option would have been to only declare support for the older versions if the config flag was flipped, but I think various clients would have stopped working if we did that.
Rendered
In line with matrix-org/matrix-spec#1700, the following disclosure applies:
I am Director of Standards Development at The Matrix.org Foundation C.I.C., Matrix Spec Core Team (SCT) member, employed by Element, and operate the t2bot.io service. This proposal is written and published with my role as a member of the SCT.
Requires #4126
Fixes matrix-org/matrix-spec#1780