MSC3861: Next-generation auth for Matrix, based on OAuth 2.0/OIDC (#3861)

* Matrix architecture change to delegate authentication via OIDC

* MSC3861

* typoe

* typoes

* typoes

* Add proposal for Matrix.org Foundation to become member of OpenID Foundation

* Update proposals/3861-delegated-oidc-architecture.md

Co-authored-by: greizgh <greizgh@ephax.org>

* Move images inline

* Use term OpenID Provider

* Add note about extending UIA as alternative

* Add reference to related MSCs

* Rework the MSC to better explain the rationale for the change

* Start writing the actual proposal

* Remove unused images

* Expand on 'why not just OIDC' and fix some typos

* Add note on the history of the proposal

* renamed 3861-delegated-oidc-architecture.md -> 3861-next-generation-auth.md

* Define token revocation through MSC4254 & add sample flow

* Use the new version of MSC2965

* List a few potential issues

* Mention areweoidcyet.com

* Apply suggestions from code review

Co-authored-by: Travis Ralston <travisr@matrix.org>

* § about how we keep the ecosystem open

* Update the alternatives table to stop mentioning 'OP'

* Reword how we mention MSC dependencies that are already in the spec

* Reformat with prettier

* Make it clearer what proposals are adjacente, write about ASes

* Add links about the current C-S API

* Add links to the spec

* Add links about OIDC and OAuth 2.0

* Clarify what the 'system browser' means

* Give an example of a better email verification flow

* Typo

* Reword what the benefits of using the homeserver's domain name are

* Apply suggestions from code review

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

* Talk more about the implications of scoped access tokens.

* Linkify /capabilities

* Clarify that the sample flow is non-normative

* Explain why we can't 'just use' OpenID Connect better

* Explain how currently HS can restrict client used

* Clarify what 'UIA APIs' mean in this proposal

* Mention that in theory UIA fallbacks also means implementation complexity on the homeserver side.

* Clarify that it doesn't have to be the *default* browser

* Clarify that I meant /login

* Reword around dynamic registration

* Reword: /login is not UIA!

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

* Add link for "web-based fallback"

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

* Typo

Co-authored-by: Alexey Rusakov <Kitsune-Ral@users.sf.net>

* Reword the browser redirect explanation

Co-authored-by: Alexey Rusakov <Kitsune-Ral@users.sf.net>

* Remove easter egg

* Better outline the rationale for this MSC

Co-Authored-By: Erik Johnston <erikj@matrix.org>

* Remove the redundant point about 'protecting the user's creds'

* Simplify the argument for client registration

Co-Authored-By: Richard van der Hoff <richvdh@users.noreply.github.com>
Co-Authored-By: Erik Johnston <erikj@matrix.org>

* Clarify what we aim to deprecate

* Typo

Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>

---------

Co-authored-by: Matthew Hodgson <matthew@matrix.org>
Co-authored-by: greizgh <greizgh@ephax.org>
Co-authored-by: Quentin Gliech <quenting@element.io>
Co-authored-by: Travis Ralston <travisr@matrix.org>
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Co-authored-by: Alexey Rusakov <Kitsune-Ral@users.sf.net>
Co-authored-by: Erik Johnston <erikj@matrix.org>
Co-authored-by: Richard van der Hoff <richvdh@users.noreply.github.com>
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>

Author: 9 people