Identity server

[bmarty]

THE CURRENT DESCRIPTION IS WIP

Introduction

Identity Servers support contact discovery on Matrix by letting people look up Third Party Identifiers to see if the owner has publicly linked them with their Matrix ID.

Related MSCs

The list can be found here: https://matrix.org/blog/2019/09/27/privacy-improvements-in-synapse-1-4-and-riot-1-4

Steps and requirements

• Only one identity server by account can be set. The choice is stored in account data with key m.identity_server. But every clients will managed its own token to log in to the identity server

{
  "type": "m.identity_server",
  "content": {
    "base_url": "https://matrix.org"
  }
}

• The accepted terms are stored in the account data:

{
  "type": "m.accepted_terms",
  "content": {
    "accepted": [
      "https://vector.im/identity-server-privacy-notice-1"
    ]
  }
}

• Only API v2 will be supported (see https://matrix.org/docs/spec/identity_service/latest)
• Default identity server URL, from Wellknown data is proposed to the user.
• Identity server can be set
• Identity server can be changed on another user's device, so when the change is detected (thanks to account data sync) RiotX should properly disconnect from a previous identity server (I think it was not the case in Riot-Android, where we keep the token forever)
• Registration to the identity server is managed with an openId token
• TOS can be accepted
• Identity server can be modified
• Identity server can be disconnected. Riot-Web displays a warning if there are current bound 3pid on this identity server.
• Email can be bound
• Email can be unbound
• Phone can be bound
• Phone can be unbound
• Look up can be performed, to get matrixIds from local contact book (phone and email): Android permission correctly handled
• Look up pepper can be updated if it is rotated on the identity server
• Invitation using 3PID can be done (See [Feature] 3pid invite #548)
• Homeserver access-token will never be sent to an identity server
• When user sign-out: logout from the identity server if any?
• When user deactivate account: logout from the identity server if any?

Screenshots of current Android application

Settings

Discovery screen

No identity server configured

Identity server configured

On Riot-Web

Configure an Identity server

Error

TOS

Binding an email

Lookup

TODO

Ref:

• https://matrix.org/blog/2019/09/27/privacy-improvements-in-synapse-1-4-and-riot-1-4 is a good summary of the role of an Identity server and the proper way to configure and use it in respect to the privacy and the consent of the user.
• API documentation: https://matrix.org/docs/spec/identity_service/latest
• vector.im TOS: https://vector.im/identity-server-privacy-notice