MSC2832: HS -> AS authorization header (#2832)

* Proposal to fix homeserver -> appservice authorization Signed-off-by: Tulir Asokan <tulir@maunium.net> * Remove query parameter entirely instead of deprecating it Signed-off-by: Tulir Asokan <tulir@maunium.net> * Update title Co-authored-by: Jonathan de Jong <jonathandejong02@gmail.com> Co-authored-by: Jonathan de Jong <jonathandejong02@gmail.com>
matrix-org · Jul 17, 2022 · 5788b7d · 5788b7d
1 parent 3a05bd6
commit 5788b7d
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/proposals/2832-appservice-auth-fix.md b/proposals/2832-appservice-auth-fix.md
@@ -0,0 +1,28 @@
+# MSC2832: Homeserver -> Application Service authorization header
+Most of the auth tokens in the spec are passed in the `Authorization` header,
+with the `access_token` query parameter supported for backwards-compatibility.
+For some reason, the application service spec was not updated in the same way
+and it still requires using the archaic query parameter when the homeserver
+pushes transactions to the appservice.
+
+## Proposal
+The `access_token` query parameter is removed from all requests made by the
+homeserver to appservice and is replaced with the `Authorization` header with
+`Bearer <token>` as the value.
+
+### Backwards-compatibility
+Homeservers which want to support old spec versions in the appservice API may
+send both the query parameter and header. Similarly, appservices may accept the
+token from either source.
+
+## Security considerations
+Not fixing this causes access tokens to be logged in many bridges.
+
+## Alternatives
+We could add a way for appservices to explicitly specify which spec version
+they want in order to implement backwards-compatibility without sending both
+tokens.
+
+## Unstable prefix
+The authorization header is already used in the client-server spec, and an
+unstable prefix would just unnecessarily complicate things.