Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify access token grammar #625

Open
IvoWingelaar opened this issue May 23, 2020 · 1 comment
Open

Clarify access token grammar #625

IvoWingelaar opened this issue May 23, 2020 · 1 comment
Labels
A-Client-Server Issues affecting the CS API clarification An area where the expected behaviour is understood, but the spec could do with being more explicit

Comments

@IvoWingelaar
Copy link

Currently access tokens are specified according to section 5, which is very similar to RFC6750.
A note clarifies that clients should treat the access token as an opaque byte sequence, but leaves ambiguity with regards to what bytes are actually valid.

Confusingly, RFC6750 specifies that the token should follow the b64token grammar, which does not require base64 encoding, but instead is a set of characters defined identically as token68 specified in RFC7235. By design, token68 includes all base64 encoded strings and URI safe strings.

Am I correct in assuming that currently homeservers and clients implicitly follow RFC6750? And if so, I would suggest to make this requirement explicit in the specification.

@turt2live
Copy link
Member

Clients are expected to take the access token from a login response and echo it back to the server on subsequent requests. They are not meant to care what format the token is in.

The spec is also already limited to UTF-8 encoding on JSON responses, which essentially means that so long as the server can send and receive the token anything is valid. Servers obviously have an interest in not making it complicated for encoding reasons though, which is why the specification recommends a particular format/encoding.

https://github.com/matrix-org/matrix-doc/issues/666 is the general problem of not specifying what "opaque" actually means.

@turt2live turt2live added clarification An area where the expected behaviour is understood, but the spec could do with being more explicit A-Client-Server Issues affecting the CS API labels May 23, 2020
@turt2live turt2live mentioned this issue Mar 1, 2022
12 tasks
@richvdh richvdh transferred this issue from matrix-org/matrix-spec-proposals Mar 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-Client-Server Issues affecting the CS API clarification An area where the expected behaviour is understood, but the spec could do with being more explicit
Projects
None yet
Development

No branches or pull requests

2 participants