Skip to content

Spec Account management for OAuth 2.0 API#2270

Merged
turt2live merged 13 commits intomatrix-org:mainfrom
zecakeh:oauth-account-management
Jan 20, 2026
Merged

Spec Account management for OAuth 2.0 API#2270
turt2live merged 13 commits intomatrix-org:mainfrom
zecakeh:oauth-account-management

Conversation

@zecakeh
Copy link
Copy Markdown
Contributor

@zecakeh zecakeh commented Dec 16, 2025
edited by github-actions bot
Loading

As per MSC4191.

Pull Request Checklist

Preview: https://pr2270--matrix-spec-previews.netlify.app

@zecakeh
Spec Account management for OAuth 2.0 API
8350b88 
As per MSC4191.

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh zecakeh requested a review from a team as a code owner December 16, 2025 19:40
@zecakeh
Add changelog
80c6ffd 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh zecakeh mentioned this pull request Dec 16, 2025
Merged
7 tasks
hughns
hughns reviewed Dec 17, 2025
View reviewed changes
@hughns
Copy link
Copy Markdown
Member

hughns commented Dec 17, 2025

Question: would it be useful to add notes to the legacy API endpoints to say what the equivalent functionality is in the OAuth 2.0 API?

For example for /_matrix/client/v3/account/deactivate saying something like:

Note: In the OAuth 2.0 API this is replaced by the org.matrix.account_deactivate account management URL action, where supported.

hughns
hughns suggested changes Dec 17, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@hughns hughns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One of the field names is wrong. Otherwise this looks sensible 👍

@zecakeh zecakeh mentioned this pull request Dec 17, 2025
Merged
3 tasks
@zecakeh
Copy link
Copy Markdown
Contributor Author

zecakeh commented Dec 17, 2025
edited
Loading

Question: would it be useful to add notes to the legacy API endpoints to say what the equivalent functionality is in the OAuth 2.0 API?

For example for /_matrix/client/v3/account/deactivate saying something like:

Note: In the OAuth 2.0 API this is replaced by the org.matrix.account_deactivate account management URL action, where supported.

I would rather not, we don't do that for other endpoints of the legacy API, and we already have an overview on how to do things depending on the authentication API before defining both APIs.

That said my feelings are not that strong on the subject so if you really think that's better, I'll add it.

@zecakeh
Fix field name
293012d 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh
Copy link
Copy Markdown
Contributor Author

zecakeh commented Dec 17, 2025

I would rather not, we don't do that for other endpoints of the legacy API, and we already have an overview on how to do things depending on the authentication API before defining both APIs.

That said my feelings are not that strong on the subject so if you really think that's better, I'll add it.

Now that I think bout it, it might be good to add this a warning for OAuth aware clients however in #2272.

@zecakeh
Bump Matrix version
70d2005 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@richvdh richvdh requested a review from hughns January 6, 2026 17:13
richvdh
richvdh requested changes Jan 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm modulo a couple of nits

zecakeh and others added 3 commits January 7, 2026 14:55
@zecakeh @richvdh
Apply suggestions from code review
c8ae75a 
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
@zecakeh
Remove justification
edea11e 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh
Add fields to example
6e7c8a6 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh zecakeh requested a review from richvdh January 7, 2026 14:00
hughns
hughns approved these changes Jan 7, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@hughns hughns left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This now looks good to me.

Please can we ask @turt2live to review to make sure it meets the requirements he said here?

Per recent emails sent to oauth-ext-review on our thread, it seems possible to allow this MSC to go through without formal registration. When we get to the spec PR, we should verbosely describe the fields so we can point to them in a more complete registration application.

@hughns hughns mentioned this pull request Jan 12, 2026
Merged
5 tasks
richvdh
richvdh approved these changes Jan 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@richvdh richvdh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@richvdh richvdh requested a review from turt2live January 13, 2026 18:12
turt2live
turt2live approved these changes Jan 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@turt2live turt2live left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've done a pass based on IANA's perceived requirements, which is a bit nitpicky (sorry). I haven't checked to see how compatible the SHOULD/MAY/MUST-style suggestions are with the original MSC.

Edit: to clarify review state: "approved with changes".

@zecakeh
Use definition shortcode for account management server metadata
e018a60 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh
Use definition shortcode for account management URL query parameters
b77dd24 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh
Apply suggestion for account management actions
3b59641 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
hughns
hughns reviewed Jan 15, 2026
View reviewed changes
@zecakeh
Add copyright and license
7bf08cf 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
turt2live
turt2live reviewed Jan 16, 2026
View reviewed changes
@zecakeh
Remove enum for actions
68881a0 
It doesn't make sense to have the action schema in a separate file now
that only the `type` is shared.

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh
Use "server" instead of "homeserver"
2633f6f 
Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
@zecakeh zecakeh requested a review from turt2live January 17, 2026 09:09
@turt2live turt2live merged commit c8c2110 into matrix-org:main Jan 20, 2026
13 checks passed
@zecakeh zecakeh deleted the oauth-account-management branch January 20, 2026 18:08
This was referenced Jan 29, 2026
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@richvdh richvdh richvdh approved these changes

@turt2live turt2live Awaiting requested review from turt2live

+1 more reviewer

@hughns hughns hughns approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zecakeh @hughns @turt2live @richvdh