MSC4450: Identity Provider selection for User-Interactive Authentication with Legacy Single Sign-On#4450
MSC4450: Identity Provider selection for User-Interactive Authentication with Legacy Single Sign-On#4450reivilibre wants to merge 1 commit into
Conversation
reivilibre
force-pushed
the
rei/uiaa_sso_web_fallback_idp_id
branch
from
9daba64 to
2bf6ba3
Compare
reivilibre
changed the title
reivilibre
force-pushed
the
rei/uiaa_sso_web_fallback_idp_id
branch
from
2bf6ba3 to
cda42b3
Compare
turt2live
added
proposal
…Legacy Single Sign-On
reivilibre
force-pushed
the
rei/uiaa_sso_web_fallback_idp_id
branch
from
cda42b3 to
3d1e670
Compare
| authentication type (`m.login.sso`), the client must direct the user to complete the flow in the | ||
| browser, using the fallback URL at `/_matrix/client/v3/auth/m.login.sso/fallback/web?session=<session ID>`. | ||
|
|
||
| (Note that despite being called 'fallback', there is no other method for completing `m.login.sso`.) |
There was a problem hiding this comment.
As-is, this statement is confusing as m.login.sso also applies to login.
More clear:
| (Note that despite being called 'fallback', there is no other method for completing `m.login.sso`.) | |
| (Note that despite being called 'fallback', there is no other method for completing User-Interactive Authentication for the `m.login.sso` type.) |
For my own reference, "User-Interactive Authentication" is separate from the login flow. User-Interactive Authentication is used to authorize a specific action (like when changing your password, deleting devices, etc) when you're already logged in.
|
|
||
| If the Identity Provider identifier refers to an Identity Provider that is non-existent, | ||
| not associated to the user or otherwise invalid, | ||
| the homeserver MAY either treat the parameter as not having been set, or display an error to the user, |
There was a problem hiding this comment.
the homeserver MAY either treat the parameter as not having been set
Feels like the homeserver should always error if it supports this parameter.
For homeservers that don't support this parameter, chances are it will be ignored though but that should just be noted as a client expectation (as it is already).
| so perhaps it's not worth proceeding with changes to legacy authentication. | ||
|
|
||
|
|
||
| ## Alternatives |
There was a problem hiding this comment.
Given the homeserver is the one returning the session ID to be used in the User-Interactive Authentication flow, doesn't the homeserver have some idea about which SSO provider was used to login the user in the first place. And the homeserver could be using the same SSO provider for the fallback endpoint.
For my reference on how "User-Interactive Authentication" works:
- Client tries to change password:
POST /_matrix/client/v3/account/passwordwith{ "new_password": "newpass" }->401{ "flows": [{ "stages": ["m.login.sso"] }], "params": { ... }, "session": "xyz123" } - Client directs the user to
/_matrix/client/v3/auth/m.login.sso/fallback/web?session=xyz123 - User authorizes and the final HTML page has a few triggers to notify the opener about the flow being complete. For client apps that can't hook the
postMessagenotification, they usually just ask the user to press next when it's complete. - The client tries the same
POST /_matrix/client/v3/account/passwordrequest but with{ "new_password": "newpass", "auth": { "session": "xyz123" } }and the homeserver validates that the user ID of the requester matches the one in the session.
There was a problem hiding this comment.
To answer my own question, Synapse already does this but users can be associated with multiple identity providers and we just arbitrarily select one. People want to be able to use whichever identity provider to authorize the action.
There was a problem hiding this comment.
hmm, thinking about this more, this could also be solved by Synapse picking a more appropriate identity provider (the one you logged in with that particular the client) instead of picking an arbitrary identity provider used on your account.
|
|
||
| ## Proposal | ||
|
|
||
| An `idp_id` query parameter is introduced to the `m.login.sso` fallback endpoint: |
There was a problem hiding this comment.
How do we expect the client to know which idp_id to use from the list of identity_providers?
Especially in the face of:
Presenting a web UI for manual selection is not useful in this customer's situation as it would only confuse the user.
There was a problem hiding this comment.
Reading element-hq/synapse#19691 a bit closer, in this case, it sounds like each client has a dedicated identity provider which is probably hard-coded.
(I'm unable to resolve this discussion)
3 participants
Rendered