-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MSC1721: Rename m.login.cas to m.login.sso #1721
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# MSC1721: Rename `m.login.cas` to `m.login.sso` | ||
|
||
The Matrix Client-Server spec includes a [section on client login using Central | ||
Authentication Service | ||
(CAS)](https://matrix.org/docs/spec/client_server/r0.4.0.html#cas-based-client-login). | ||
|
||
The spec currently fails to mention it, but this process is triggered when [`GET | ||
/login`](https://matrix.org/docs/spec/client_server/r0.4.0.html#get-matrix-client-r0-login) | ||
returns a flow type of `m.login.cas`. | ||
|
||
Nothing in this flow is specific to CAS - it is equally applicable for other | ||
web-based single-sign-on processes, such as SAML. | ||
|
||
Accordingly, we should rename `cas` to `sso`. | ||
|
||
## Proposal | ||
|
||
1. `m.login.sso` should be defined as a valid login type for return from `GET | ||
/login`. (We should probably mention `m.login.cas` in the spec while we are | ||
there). | ||
|
||
2. When a client wishes to use the SSO login type, it should redirect to | ||
`/_matrix/client/r0/login/sso/redirect` (instead of | ||
`/_matrix/client/r0/login/cas/redirect`). | ||
|
||
3. Servers should treat `/_matrix/client/r0/login/sso/redirect` identically to | ||
`/_matrix/client/r0/login/cas/redirect`: they should issue a redirect to | ||
their configured single-sign-on system. | ||
|
||
4. Servers should probably rename the post-authentication callback endpoint | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. s/probably// imo There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've actually removed this section altogether. The server's behaviour needs to be completely different depending on whether it's handling a CAS or a SAML response, so it makes sense to leave it as |
||
`/_matrix/client/r0/login/sso/ticket` instead of | ||
`/_matrix/client/r0/login/cas/ticket`. Note, however, that this name is only | ||
a suggestion: the full name of this endpoint is implementation-specific. | ||
|
||
5. Servers which support `m.login.sso` should make sure they update their [login | ||
fallback page](https://matrix.org/docs/spec/client_server/r0.4.0.html#login-fallback) | ||
to understand the new login type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will it return
m.long.sso
along withm.login.cas
or instead of it? I'd probably recommend "along" for the transition period (but I'd really be interested to know how many clients are even watching form.login.cas
- probably there's nothing worth discussing).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/m.long.sso/m.login.sso
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yup think it's best to return both for now.
riot-web has some very rudimentary support for m.login.cas, but that's it afaik