Open Johennes opened 3 months ago
As a federation endpoint, there will be other Authorization headers. I'm not sure if these would cause conflict.
Hm, yeah you're right:
Authorization: X-Matrix origin="origin.hs.example.com",destination="destination.hs.example.com",key="ed25519:key1",sig="ABCDEF..."
So I guess the best we could do is append the token to the custom X-Matrix
scheme with a dedicated key. Not sure if that would make things better or worse. 🤔
Suggestion
The
GET /_matrix/federation/v1/openid/userinfo
endpoint currently takes the access token as a query parameter. This is contrary to OIDC's own definition of/userinfo
which uses theAuthorization
header to submit the token. It's also somewhat contrary to MSC4126 where query string authorization was removed from the CS and IS APIs.Unless there are reasons against it, I think we should introduce header authorization and deprecate query string authorization on this endpoint, too.