MSC4312: Resetting cross-signing keys in the OAuth world by Johennes · Pull Request #4312 · matrix-org/matrix-spec-proposals

Johennes · 2025-07-15T08:19:45Z

Rendered

Implementations:

Server
- Synapse: Use custom stage UIA error for MAS cross-signing reset element-hq/synapse#17509 (July 2024)
- MAS:
Client:
- Element Web (supporting the new UIA stage): Add support for org.matrix.cross_signing_reset UIA stage flow element-hq/matrix-react-sdk#34
- Example of client that doesn't support the UIA stage working using the fallback:

ScreenRecording_09-25-2025.16-32-30_2.mov

SCT Stuff:

FCP tickyboxes

MSC checklist

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>

proposals/4312-x-signing-reset-with-nextgen-auth.md

hughns · 2025-09-17T19:17:00Z

MAS lists the org.matrix.cross_signing_reset action in the account_management_actions_supported from MSC4191. e.g. in https://account.matrix.org/.well-known/openid-configuration

Does this need to be added to this MSC?

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>

Johennes · 2025-09-18T06:44:56Z

MAS lists the org.matrix.cross_signing_reset action in the account_management_actions_supported from MSC4191. e.g. in https://account.matrix.org/.well-known/openid-configuration

Does this need to be added to this MSC?

Good point. I hadn't noticed that MSC4191 doesn't list this action. Have added it here with a781be5.

hughns · 2025-09-24T17:25:30Z

proposals/4312-x-signing-reset-with-nextgen-auth.md

+
+Rather than approving cross-signing reset specifically, the authorization server could provide
+mechanisms for temporary scope elevation.
+


Following a discussion with @erikjohnston earlier it might be helpful to elaborate on this:

Suggested change

An example of a potential mechanism that could help achieve this is the

[RFC 9470 OAuth 2.0 Step Up Authentication Challenge Protocol](https://datatracker.ietf.org/doc/rfc9470/).

Theoretically such a mechanism could act as full replacement for UIA in the CS API

where protection is needed for sensitive actions.

However, the is no proposal on how this would be applied to the CS API and therefore

it is proposed to codify this present mechanism that does allow for the specific

cross-signing reset action.

This feels like the correct solution?

Yeah, it probably is. This proposal was originally only intended to document the status quo that I found on matrix.org so that it could be reused by other implementations in the interim. It doesn't feel great to add this into the spec. If the good solution is far away though, it might be better than the current situation where the spec renders the OAuth login APIs and cross-signing key reset incompatible.

I applied @hughns suggestion separately with d8649fb but will leave this thread open in case there's further input.

It may not change the plan for this proposal but I have tried to adapt RFC9470 to Matrix in #4363.

Given that this is already deployed on matrix.org ( 😢 ), and Element-Web implements support for it (cf element-hq/element-meta#2956), I think we had better spec what we have asap and leave the Correct Solution for another time.

turt2live

otherwise lgtm

proposals/4312-x-signing-reset-with-nextgen-auth.md

turt2live · 2025-09-24T19:25:45Z

turt2live · 2025-09-24T19:29:49Z

@mscbot fcp merge
@mscbot concern Requires evidence that fallback UIA support kinda mostly works well enough
@mscbot concern Include Step Up alternative in proposal

mscbot · 2025-09-24T19:29:53Z

mscbot · 2025-10-15T13:08:52Z

The final comment period, with a disposition to merge, as per the review above, is now complete.

Johennes · 2025-10-17T12:46:31Z

Spec PR: matrix-org/matrix-spec#2234

turt2live · 2025-11-24T17:58:49Z

Merged 🎉

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [element-hq/synapse](https://github.com/element-hq/synapse) | minor | `1.145.0` → `1.146.0` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>element-hq/synapse (element-hq/synapse)</summary> ### [`v1.146.0`](https://github.com/element-hq/synapse/releases/tag/v1.146.0) [Compare Source](element-hq/synapse@v1.145.0...v1.146.0rc1) ### Synapse 1.146.0 (2026-01-27) No significant changes since 1.146.0rc1. #### Deprecations and Removals - [MSC2697](matrix-org/matrix-spec-proposals#2697) (Dehydrated devices) has been removed, as the MSC is closed. Developers should migrate to [MSC3814](matrix-org/matrix-spec-proposals#3814). ([#19346](element-hq/synapse#19346)) - Support for Ubuntu 25.04 (Plucky Puffin) has been dropped. Synapse no longer builds debian packages for Ubuntu 25.04. ### Synapse 1.146.0rc1 (2026-01-20) #### Features - Add a new config option [`enable_local_media_storage`](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_local_media_storage) which controls whether media is additionally stored locally when using configured `media_storage_providers`. Setting this to `false` allows off-site media storage without a local cache. Contributed by Patrice Brend'amour [@dr](https://github.com/dr).allgood. ([#19204](element-hq/synapse#19204)) - Stabilise support for [MSC4312](matrix-org/matrix-spec-proposals#4312 `m.oauth` User-Interactive Auth stage for resetting cross-signing identity with the OAuth 2.0 API. The old, unstable name (`org.matrix.cross_signing_reset`) is now deprecated and will be removed in a future release. ([#19273](element-hq/synapse#19273)) - Refactor Grafana dashboard to use `server_name` label (instead of `instance`). ([#19337](element-hq/synapse#19337)) #### Bugfixes - Fix joining a restricted v12 room locally when no local room creator is present but local users with sufficient power levels are. Contributed by [@nexy7574](https://github.com/nexy7574). ([#19321](element-hq/synapse#19321)) - Fixed parallel calls to `/_matrix/media/v1/create` being ratelimited for appservices even if `rate_limited: false` was set in the registration. Contributed by [@tulir](https://github.com/tulir) @ Beeper. ([#19335](element-hq/synapse#19335)) - Fix a bug introduced in 1.61.0 where a user's membership in a room was accidentally ignored when considering access to historical state events in rooms with the "shared" history visibility. Contributed by Lukas Tautz. ([#19353](element-hq/synapse#19353)) - [MSC4140](matrix-org/matrix-spec-proposals#4140): Store the JSON content of scheduled delayed events as text instead of a byte array. This fixes the inability to schedule a delayed event with non-ASCII characters in its content. ([#19360](element-hq/synapse#19360)) - Always rollback database transactions when retrying (avoid orphaned connections). ([#19372](element-hq/synapse#19372)) - Fix `InFlightGauge` typing to allow upgrading to `prometheus_client` 0.24. ([#19379](element-hq/synapse#19379)) #### Updates to the Docker image - Add [Prometheus HTTP service discovery](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config) endpoint for easy discovery of all workers when using the `docker/Dockerfile-workers` image (see the [*Metrics* section of our Docker testing docs](docker/README-testing.md#metrics)). ([#19336](element-hq/synapse#19336)) #### Improved Documentation - Remove docs on legacy metric names (no longer in the codebase since 2022-12-06). ([#19341](element-hq/synapse#19341)) - Clarify how the estimated value of room complexity is calculated internally. ([#19384](element-hq/synapse#19384)) #### Internal Changes - Add an internal `cancel_task` API to the task scheduler. ([#19310](element-hq/synapse#19310)) - Tweak docstrings and signatures of `auth_types_for_event` and `get_catchup_room_event_ids`. ([#19320](element-hq/synapse#19320)) - Replace usage of deprecated `assertEquals` with `assertEqual` in unit test code. ([#19345](element-hq/synapse#19345)) - Drop support for Ubuntu 25.04 'Plucky Puffin', add support for Ubuntu 25.10 'Questing Quokka'. ([#19348](element-hq/synapse#19348)) - Revert "Add an Admin API endpoint for listing quarantined media ([#19268](element-hq/synapse#19268))". ([#19351](element-hq/synapse#19351)) - Bump `mdbook` from 0.4.17 to 0.5.2 and remove our custom table-of-contents plugin in favour of the new default functionality. ([#19356](element-hq/synapse#19356)) - Replace deprecated usage of PyGitHub's `GitRelease.title` with `.name` in release script. ([#19358](element-hq/synapse#19358)) - Update the Element logo in Synapse's README to be an absolute URL, allowing it to render on other sites (such as PyPI). ([#19368](element-hq/synapse#19368)) - Apply minor tweaks to v1.145.0 changelog. ([#19376](element-hq/synapse#19376)) - Update Grafana dashboard syntax to use the latest from importing/exporting with Grafana 12.3.1. ([#19381](element-hq/synapse#19381)) - Warn about skipping reactor metrics when using unknown reactor type. ([#19383](element-hq/synapse#19383)) - Add support for reactor metrics with the `ProxiedReactor` used in worker Complement tests. ([#19385](element-hq/synapse#19385)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/3533 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>

# Famedly Synapse Release v1.146.0_1 depends on: famedly/complement#10 ## Famedly additions for v1.146.0_1 - feat: trigger CI actions (that are triggered on PRs) in merge queue (FrenchGithubUser) ### Notes for Famedly: #### Deprecations and Removals - matrix-org/matrix-spec-proposals#2697 (Dehydrated devices) has been removed, as the MSC is closed. Developers should migrate to matrix-org/matrix-spec-proposals#3814. (element-hq/synapse#19346) - Support for Ubuntu 25.04 (Plucky Puffin) has been dropped. Synapse no longer builds debian packages for Ubuntu 25.04. #### Updates to the Docker image - Add [Prometheus HTTP service discovery](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#http_sd_config) endpoint for easy discovery of all workers when using the docker/Dockerfile-workers image (see the [Metrics section of our Docker testing docs](https://github.com/famedly/synapse/pull/docker/README-testing.md#metrics)). (element-hq/synapse#19336) #### Features - Add a new config option [enable_local_media_storage](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_local_media_storage) which controls whether media is additionally stored locally when using configured media_storage_providers. Setting this to false allows off-site media storage without a local cache. Contributed by Patrice Brend'amour @dr.allgood. (element-hq/synapse#19204) - Stabilise support for matrix-org/matrix-spec-proposals#4312 m.oauth User-Interactive Auth stage for resetting cross-signing identity with the OAuth 2.0 API. The old, unstable name (org.matrix.cross_signing_reset) is now deprecated and will be removed in a future release. (element-hq/synapse#19273) - Refactor Grafana dashboard to use server_name label (instead of instance). (element-hq/synapse#19337)

Johennes changed the title ~~MSCXXXX: Resetting cross-signing keys in the OAuth world~~ MSC4312: Resetting cross-signing keys in the OAuth world Jul 15, 2025

MSC4312: Resetting cross-signing keys in the OAuth world

e78bc09

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>

Johennes force-pushed the johannes/x-signing-reset-with-nextgen-auth branch from cc0517c to e78bc09 Compare July 15, 2025 08:20

Johennes marked this pull request as ready for review July 15, 2025 08:21

Link to MSC4191

8e93df3

Johennes mentioned this pull request Jul 15, 2025

Add the OAuth 2.0 based authentication API, as per MSC3861 and its sub-proposals. (#2141, #2148, #2149, #2150, #2151, #2159, #2164) gematik/api-ti-messenger#324

Closed

turt2live added proposal A matrix spec change proposal client-server Client-Server API kind:maintenance MSC which clarifies/updates existing spec needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. labels Jul 15, 2025

turt2live reviewed Jul 15, 2025

View reviewed changes

proposals/4312-x-signing-reset-with-nextgen-auth.md Show resolved Hide resolved

richvdh mentioned this pull request Aug 27, 2025

Unspecced org.matrix.cross_signing_reset UIA type element-hq/element-meta#2956

Open

Add org.matrix.cross_signing_reset navigation action

a781be5

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>

hughns reviewed Sep 24, 2025

View reviewed changes

turt2live approved these changes Sep 24, 2025

View reviewed changes

proposals/4312-x-signing-reset-with-nextgen-auth.md Outdated Show resolved Hide resolved

turt2live added kind:core MSC which is critical to the protocol's success matrix-2.0 Required for Matrix 2.0 and removed kind:maintenance MSC which clarifies/updates existing spec labels Sep 24, 2025

turt2live added this to Spec Core Team Workflow Sep 24, 2025

github-project-automation bot moved this to Tracking for review in Spec Core Team Workflow Sep 24, 2025

mscbot added proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. disposition-merge unresolved-concerns This proposal has at least one outstanding concern labels Sep 24, 2025

turt2live moved this from Tracking for review to Ready for FCP ticks in Spec Core Team Workflow Sep 24, 2025

turt2live added the 00-weekly-pings Tracking for weekly pings in the SCT office. 00 to make it first in the labels list. label Sep 24, 2025

mscbot added final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. and removed proposed-final-comment-period Currently awaiting signoff of a majority of team members in order to enter the final comment period. labels Oct 10, 2025

turt2live moved this from Ready for FCP ticks to In FCP in Spec Core Team Workflow Oct 14, 2025

turt2live removed the 00-weekly-pings Tracking for weekly pings in the SCT office. 00 to make it first in the labels list. label Oct 14, 2025

mscbot added finished-final-comment-period and removed disposition-merge final-comment-period This MSC has entered a final comment period in interest to approval, postpone, or delete in 5 days. labels Oct 15, 2025

turt2live merged commit ea0aef0 into matrix-org:main Oct 15, 2025
1 check passed

turt2live added spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec and removed finished-final-comment-period labels Oct 15, 2025

turt2live moved this from In FCP to Requires spec writing in Spec Core Team Workflow Oct 15, 2025

Johennes mentioned this pull request Oct 17, 2025

Spec for MSC4312: Resetting cross-signing keys in the OAuth world matrix-org/matrix-spec#2234

Merged

3 tasks

Johennes mentioned this pull request Oct 17, 2025

MSC4191: Account management for OAuth 2.0 API #4191

Merged

7 tasks

turt2live added spec-pr-in-review A proposal which has been PR'd against the spec and is in review and removed spec-pr-missing Proposal has been implemented and is being used in the wild but hasn't yet been added to the spec labels Oct 17, 2025

turt2live moved this from Requires spec writing to Requires spec PR review in Spec Core Team Workflow Oct 17, 2025

turt2live added merged A proposal whose PR has merged into the spec! and removed spec-pr-in-review A proposal which has been PR'd against the spec and is in review labels Nov 24, 2025

turt2live moved this from Requires spec PR review to Merged in Spec Core Team Workflow Nov 24, 2025

This was referenced Nov 24, 2025

Implement Matrix 1.17 changes ruma/ruma#2270

Closed

client-api: Add support for m.oauth UIAA type ruma/ruma#2300

Merged

This was referenced Jan 29, 2026

TI-M on Matrix v1.17 gematik/api-ti-messenger#341

Open

Support Matrix 1.17 element-hq/synapse#19415

Open

This was referenced Feb 5, 2026

Famedly release/v1.146 famedly/synapse#232

Closed

Famedly release/v1.146 famedly/synapse#236

Merged


		Rather than approving cross-signing reset specifically, the authorization server could provide
		mechanisms for temporary scope elevation.

+An example of a potential mechanism that could help achieve this is the
+[RFC 9470 OAuth 2.0 Step Up Authentication Challenge Protocol](https://datatracker.ietf.org/doc/rfc9470/).
+Theoretically such a mechanism could act as full replacement for UIA in the CS API
+where protection is needed for sensitive actions.
+However, the is no proposal on how this would be applied to the CS API and therefore
+it is proposed to codify this present mechanism that does allow for the specific
+cross-signing reset action.

Conversation

Johennes commented Jul 15, 2025 • edited by hughns Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

hughns commented Sep 17, 2025

Uh oh!

Johennes commented Sep 18, 2025

Uh oh!

hughns Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

clokep Sep 24, 2025

Choose a reason for hiding this comment

Uh oh!

Johennes Sep 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Johennes Sep 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

richvdh Sep 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

turt2live left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

turt2live commented Sep 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

turt2live commented Sep 24, 2025

Uh oh!

mscbot commented Sep 24, 2025 • edited by ara4n Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mscbot commented Oct 15, 2025

Uh oh!

Uh oh!

Johennes commented Oct 17, 2025

Uh oh!

turt2live commented Nov 24, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Johennes commented Jul 15, 2025 •

edited by hughns

Loading

Johennes Sep 25, 2025 •

edited

Loading

Johennes Sep 30, 2025 •

edited

Loading

richvdh Sep 30, 2025 •

edited

Loading

turt2live commented Sep 24, 2025 •

edited

Loading

mscbot commented Sep 24, 2025 •

edited by ara4n

Loading