|
| 1 | +# MSC4450: Identity Provider selection for User-Interactive Authentication with Legacy Single Sign-On |
| 2 | + |
| 3 | +When a client presents a user with a User-Interactive Authentication flow using the Single Sign-On |
| 4 | +authentication type (`m.login.sso`), the client must direct the user to complete the flow in the |
| 5 | +browser, using the fallback URL at `/_matrix/client/v3/auth/m.login.sso/fallback/web?session=<session ID>`. |
| 6 | + |
| 7 | +(Note that despite being called 'fallback', there is no other method for completing `m.login.sso`.) |
| 8 | + |
| 9 | +It is possible for a homeserver to have multiple Single Sign-On providers (also known as 'Identity Providers'). |
| 10 | + |
| 11 | +There is currently no mechanism for the client to indicate a preference/selection of identity provider |
| 12 | +to be used for the User-Interactive Authentication flow. |
| 13 | + |
| 14 | +This proposal adds such a mechanism. |
| 15 | + |
| 16 | + |
| 17 | +## Proposal |
| 18 | + |
| 19 | +An `idp_id` query parameter is introduced to the `m.login.sso` fallback endpoint: |
| 20 | + |
| 21 | +``` |
| 22 | +/_matrix/client/v3/auth/m.login.sso/fallback/web?session=<session ID>&idp_id=<IDP ID> |
| 23 | +``` |
| 24 | + |
| 25 | +The IDP IDs (Identity Provider identifiers) are the same as used in the [`GET /_matrix/client/v3/login/sso/redirect/{idpId}`](https://spec.matrix.org/v1.15/client-server-api/#get_matrixclientv3loginssoredirectidpid) endpoint. |
| 26 | + |
| 27 | +If the Identity Provider identifier is not set, the homeserver MUST act the same as before this MSC |
| 28 | +was introduced, for example automatically selecting an Identity Provider or offering a web user interface |
| 29 | +for the user to do so manually. |
| 30 | + |
| 31 | +If the Identity Provider identifier refers to an Identity Provider that is non-existent, |
| 32 | +not associated to the user or otherwise invalid, |
| 33 | +the homeserver MAY either treat the parameter as not having been set, or display an error to the user, |
| 34 | +depending on which is more appropriate for the homeserver's circumstances. |
| 35 | + |
| 36 | + |
| 37 | +## Potential issues |
| 38 | + |
| 39 | +- Legacy authentication is already somewhat in the process of being replaced by OAuth 2.0 authentication, |
| 40 | + so perhaps it's not worth proceeding with changes to legacy authentication. |
| 41 | + |
| 42 | + |
| 43 | +## Alternatives |
| 44 | + |
| 45 | +- We could instead make it possible for the homeserver to offer multiple `m.login.sso` authentication options |
| 46 | + and have a generic authentication 'subtype' system for selecting one of multiple independent `m.login.sso` |
| 47 | + authentication options. |
| 48 | + |
| 49 | + This 'subtype' approach could generalise beyond `m.login.sso`. |
| 50 | + |
| 51 | + The fallback for authentication subtypes could then be exposed at e.g. `/_matrix/client/v4/auth/<auth type>/<auth subtype>/fallback/web?session=<session ID>` |
| 52 | + |
| 53 | + |
| 54 | +## Security considerations |
| 55 | + |
| 56 | +None anticipated. |
| 57 | + |
| 58 | + |
| 59 | +## Unstable prefix |
| 60 | + |
| 61 | + |
| 62 | + |
| 63 | +No `/versions` advertisement is necessary, as homeservers ignore extraneous query parameters and so |
| 64 | +homeservers which do not support this feature will ignore the added query parameter. |
| 65 | + |
| 66 | + |
| 67 | +## Dependencies |
| 68 | + |
| 69 | +None. |
0 commit comments