Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC2858: Multiple SSO Identity Providers #2858

Merged
merged 31 commits into from
Mar 14, 2021
Merged
Changes from 8 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
2047320
Multiple SSO Identity Providers
t3chguy Nov 9, 2020
a7eba77
Fix MSC number
t3chguy Nov 9, 2020
2064536
Update proposals/2858-Multiple-SSO-Identity-Providers.md
t3chguy Nov 12, 2020
a391a4a
Iterate the MSC
t3chguy Nov 13, 2020
874e32d
Merge remote-tracking branch 'origin/t3chguy/msc/multi-sso' into t3ch…
t3chguy Nov 13, 2020
f444273
be stricter on the icon url
t3chguy Nov 13, 2020
8ac2359
Iterate MSC based on feedback
t3chguy Nov 19, 2020
153c557
Add more explanation
t3chguy Nov 26, 2020
c7063a4
Iterate PR based on feedback
t3chguy Jan 18, 2021
8be6540
Update proposals/2858-Multiple-SSO-Identity-Providers.md
t3chguy Jan 19, 2021
85ccf93
Remove UIA stuff
t3chguy Jan 19, 2021
1d90cac
Merge branch 't3chguy/msc/multi-sso' of github.com:matrix-org/matrix-…
t3chguy Jan 19, 2021
277ff68
Formatting tweaks
richvdh Jan 27, 2021
0c18f83
grammar clarifications
richvdh Jan 27, 2021
09d41c5
add 'brand'
richvdh Jan 27, 2021
8434605
Update proposals/2858-Multiple-SSO-Identity-Providers.md
richvdh Jan 27, 2021
ba08c9f
notes on and alternatives
richvdh Jan 27, 2021
6badb3b
Notes on OAuth2 and unknown idps
richvdh Mar 1, 2021
ba3e204
Update proposals/2858-Multiple-SSO-Identity-Providers.md
t3chguy Mar 1, 2021
dce9c9f
Move the idp `brand` assignments out to a registry
richvdh Mar 2, 2021
434d686
fix up markdown
richvdh Mar 2, 2021
2d4da14
more fix markdown
richvdh Mar 2, 2021
9a4e821
fix link
richvdh Mar 2, 2021
62cc76f
Move sequence diagram into doc
richvdh Mar 3, 2021
a596efd
Get rid of the registry for now
richvdh Mar 3, 2021
178cbe1
Update proposals/2858-Multiple-SSO-Identity-Providers.md
richvdh Mar 3, 2021
1ba0c39
Change the brand identifiers again
richvdh Mar 9, 2021
7871da7
Update proposals/2858-Multiple-SSO-Identity-Providers.md
richvdh Mar 9, 2021
d5166eb
Update proposals/2858-Multiple-SSO-Identity-Providers.md
richvdh Mar 9, 2021
49f7624
update brand descriptions
richvdh Mar 9, 2021
a8a7acc
update UIA
richvdh Mar 9, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
135 changes: 135 additions & 0 deletions proposals/2858-Multiple-SSO-Identity-Providers.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
# MSC2858: Multiple SSO Identity Providers

Matrix already has generic SSO support, but it does not yield the best user experience especially for
instances which wish to offer multiple identity providers. This MSC provides a simple and fully
backwards compatible way to extend the current spec which would allow clients to give users options
like `Continue with Google` and `Continue with Github` side-by-side.


## Proposal

Currently, Matrix supports `m.login.sso`, `m.login.token` and `/login/sso/redirect` for clients to
pass their user to the configured Identity provider and for them to come back with something which
is exchangeable for a Matrix access token. This flow offers no insight to the user as to what
Identity providers are available. It allows clients to offer a super generic `Sign in with SSO`
button only. With the currently possible solutions and workarounds the experience is far from great
and user's have to blindly click `Sign in with SSO` without any clue as to what's hiding on the other
t3chguy marked this conversation as resolved.
Show resolved Hide resolved
side of the door. Some users will definitely not be familiar with `SSO` but will be with the concept of
"Continue with Google" or similar.

By augmenting the `m.login.sso` flow discovery definition to include metadata on the supported IDPs
the client can show a button for each of the supported providers, yielding a much more usable
experience. This would look like this:

```json
{
"flows": [
{
"type": "m.login.sso",
"identity_providers": [
{
"id": "google",
t3chguy marked this conversation as resolved.
Show resolved Hide resolved
"name": "Google",
"icon": "https://..."
t3chguy marked this conversation as resolved.
Show resolved Hide resolved
},
{
"id": "github",
"name": "Github",
"icon": "https://..."
richvdh marked this conversation as resolved.
Show resolved Hide resolved
}
]
},
{
"type": "m.login.token"
}
]
}
```

The `id` field would be opaque with the accepted characters matching unreserved URI characters
as defined in [RFC3986](http://www.ietf.org/rfc/rfc3986.txt) - this was chosen to avoid
having to encode special characters in the URL. Max length 128. Defined as:
```
ALPHA DIGIT "-" / "." / "_" / "~"
```
richvdh marked this conversation as resolved.
Show resolved Hide resolved

The `name` field should be the human readable string intended for printing by the client.

The `icon` field is the only optional field and should point to an icon representing the IdP.
t3chguy marked this conversation as resolved.
Show resolved Hide resolved
If present then it must be an HTTPS URL to an image resource. This should be hosted by the
homeserver service provider to not leak the client's IP address unnecessarily.
t3chguy marked this conversation as resolved.
Show resolved Hide resolved


A new endpoint would be needed to support redirecting directly to one of the IDPs:

`GET /_matrix/client/r0/login/sso/redirect/{idp_id}`

This would behave identically to the existing endpoint without the last argument
except would allow the server to forward the user directly to the correct IdP.
richvdh marked this conversation as resolved.
Show resolved Hide resolved

For the case of backwards compatibility the existing endpoint should remain,
and if the server supports multiple SSO IDPs it should offer the user a page
which lets them choose between the available IdP options as a fallback.
t3chguy marked this conversation as resolved.
Show resolved Hide resolved

For the case of User Interactive Auth the server would just give the appropriate
identity provider as an option, that being the same as the user used to login with.
t3chguy marked this conversation as resolved.
Show resolved Hide resolved
An example UIA 401 response is shown below:
```json
{
"session": "session_id",
"flows":[
{
"stages": ["m.login.sso"]
}
],
"params": {
"m.login.sso": {
"identity_providers": [
{
"id": "google",
"name": "Google",
"icon": "https://..."
}
]
}
}
}
```

The exact format of `identity_providers` is kept between Login flows and UIA,
this allows better code reuse and in future for multiple IdPs to map to the
same Matrix account and the user having the ability to use either to complete
UIA.
richvdh marked this conversation as resolved.
Show resolved Hide resolved


## Potential issues

None discovered at this time


## Alternatives
t3chguy marked this conversation as resolved.
Show resolved Hide resolved
richvdh marked this conversation as resolved.
Show resolved Hide resolved

An alternative to the whole approach would be to allow `m.login.sso.$idp` but this forces
treating an opaque identifier as hierarchical and offers worse backwards compatibility.

An alternative to the proposed backwards compatibility plan where the server offers a
fallback page which fills the gap and lets the user choose which SSO IdP they need is
for the server to deterministically always pick one, maybe the first option and let
old clients only auth via that one but that means potentially locking users out of their
accounts.


## Security considerations

This could potentially aid phishing attacks by bad homeservers, where if the app says
`Continue with Google` and then they are taken to a page which is styled to look like
the Google login page they might be a tiny bit more susceptible to being phished as opposed
as to when they click a more generic `Sign in with SSO` button, but this attack was possible
anyhow using a different vector of a controlled Element/client instance which modifies
the text.


## Unstable prefix

Whilst in development use `org.matrix.msc2858.identity_providers` for the flow discovery and `/_matrix/client/unstable/org.matrix.msc2858/login/sso/redirect/{idp_id}`
for the new endpoints.
richvdh marked this conversation as resolved.
Show resolved Hide resolved