Hacker News new | ask | show | jobs
by ushakov 1676 days ago
i was considering somewhat similar approach, where if the user accepts a room invite i would authenticate them

but this doesn’t work, because there is only one standard method of authentication, which is by sending username/password
1 comments
3np 1676 days ago
...Why?

A matrix bot could send the user a short-lived token they can paste to the site to authenticate. Optional QR for mobile.

No need for homeserver changes, changing protocols or touching any user credentials.

Since you’d rely on an existing matrix session, the bot could send the token e2ee, meaning after TOFU you could even protect against malicious homeserver operators.

You could also do the inverse, having the user send the token to the bot.

link
ushakov 1676 days ago
this is neat and i have thought of that

but it does not authenticate you against the homeserver and does not grant you the access token, meaning the application would not be able to access Matrix APIs on user's behalf

link
3np 1675 days ago
Why does a federated sign-in solution for a third-party web app need to authenticate to the homeserver or access Matrix APIs on the users behalf?!

That’s exactly what you want to avoid.

The bot can still get things shared by the user like username, avatar, 3pids and pubkeys.

Can you give me a use-case that my proposed solution is insufficient for due to inability to impersonate the user to the Matrix homeserver?

link