Generate invite emails - (when no match is found 3pid <=> email?)

[ReqX]

As discussed in Matrix HQ (#matrix:matrix.org) [1] the IS sends an invite email on matrix.org if there is no matching uid. Mxisd should try to cover this for own HS as well imho. While with ldap dirs this certainly has another prio as with normal IS, it still makes sense to somehow alert people in ldap that they are beeing invited to a room. I would go so far and - for the special purpose that mxisd serves - would even consider that every invite, which results in a query to mxisd should maybe generate a simple invitation email... though I am not sure how the IS will be informed that the client hits "invite" after the query... Up for discussion, maybe there is a better way specially since the whole IS thing is not fixed yet.

Thx, Mike

[1]https://matrix.to/#/!cURbafjkfsMDVwdRDQ:matrix.org/$14906345581992869sDSnN:matrix.org

[maxidorius]

This is possible yes, but with the following limitation:

• mxisd is read-only, so the mapping will need to be performed some other way (either another identity server, or the local LDAP)
• Once invited, we'll need to check if a known mapping exists on a schedule
• If the user performs the binding on an IS which we do not talk to, we'll never know about such mapping

It works well on Matrix.org because it is a public server on which you can register and that by default their IS is being used.
This is not the case for a typical mxisd use where the HS does not usually allow invites.

How would you see this working out? Could you give an example of the typical flow of such an invite, including how the invited user would react?

[ReqX]

I dont think we need to cover the mappings to be honest? A user will follow the invite and - in the case of mxisd + ldap3 - login with ldap and hence create a user in the db (without pass etc, just as it normaly be with ldap3). Does it even make sense to use mxisd without ldap3 plugin on synapse or am I beeing biased here?

Regarding the flow: 1) User A is in a room and invites user.b@domain.email to join that room.

2) a) No mapping for user.b@domain.email exists so we send out the invitation email plus generate cryptographic token / message (m.room.third_party_invite) in the room so the HS knows about it [1], pretty sure client does that?

2) b) A mapping is found locally or via reverse IS query. If locally check config(?) if we should always notifiy, if reverse.... ... no clue. The HS side is handled by the client/HS anyhow. Maybe that can be more easily solved on the HS side when [2] is done.

3) User B gets an email and follows the invitation link to the room. Riot would show preview (no idea about other clients tbh) and have the user a) either register/login or b) join as guest (if allowed), or c) if user is currently logged in, asking to add the email to that account (with normal authorisation). Except for c) that is imho of no concern to mxisd. However, currently c) would of course fail on a mxisd - but it should probably do that with a proper error explaining that this is not needed/possible due to external directory beeing used, if anyhow possible.

I know this is more like "wishfull thinking" than a proper specification, I am probably seeing very specific enterprise use cases truth be told.

[1] Example: ReqX (Mike) sent an invitation to mic...@het... to join the room.

{
  "origin_server_ts": 1490634183137,
  "sender": "@ReqX:matrix.org",
  "event_id": "$14906341831988678dOKPv:matrix.org",
  "age": 6848967,
  "unsigned": {
    "age": 6848967
  },
  "state_key": "ENjNxYRNDCZIvoEqlgdaEMRTVMWWBnOtJAZOQCCZZFbubRgoWLFvdIwQZKgclAlMmhKFGboPHAJBzQNCSgejTUhdEKMJgZZQXWjkwTGJtaYSQNgWbUIQRBKiUGYlMOtz",
  "content": {
    "key_validity_url": "https://vector.im/_matrix/identity/api/v1/pubkey/isvalid",
    "public_key": "LKd2ww8OslLxmzKShqFvCV4U7xGTcWjq4VDQXYGgdzA",
    "display_name": "mic...@het...",
    "public_keys": [
      {
        "key_validity_url": "https://vector.im/_matrix/identity/api/v1/pubkey/isvalid",
        "public_key": "LKd2ww8OslLxmzKShqFvCV4U7xGTcWjq4VDQXYGgdzA"
      },
      {
        "key_validity_url": "https://vector.im/_matrix/identity/api/v1/pubkey/ephemeral/isvalid",
        "public_key": "EN5iY_jq3r29ayt7KdLoFds9qOyB8-pqJFZwK9owTlA"
      }
    ]
  },
  "room_id": "!cURbafjkfsMDVwdRDQ:matrix.org",
  "user_id": "@ReqX:matrix.org",
  "type": "m.room.third_party_invite"
}

[2] https://github.com/matrix-org/matrix-synapse-ldap3/blob/master/ldap_auth_provider.py#L189

[maxidorius]

After a discussion on the matrix channel, closing as invalid.