Move support for application service query parameter authorization behind a configuration option (#16017)

author: Shay <hillerys@element.io> 2023-08-03 11:43:51 -0700
committer: GitHub <noreply@github.com> 2023-08-03 11:43:51 -0700
commit: 0a5f4f766514b84aff84ff17dffd5301a437c797 (patch)
tree: a7909bcb2d741ba0fb4d9787ae633d974c64add5 /docs
parent: Allow config of the backoff algorithm for the federation client. (#15754) (diff)
download: synapse-0a5f4f766514b84aff84ff17dffd5301a437c797.tar.xz
2 files changed, 29 insertions, 1 deletions
diff --git a/docs/upgrade.md b/docs/upgrade.md
index 5dde6c769e..f50a279e98 100644
--- a/docs/upgrade.md
+++ b/docs/upgrade.md
@@ -88,6 +88,21 @@ process, for example:
     dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb
     ```
 
+# Upgrading to v1.90.0
+
+## App service query parameter authorization is now a configuration option
+
+Synapse v1.81.0 deprecated application service authorization via query parameters as this is
+considered insecure - and from Synapse v1.71.0 forwards the application service token has also been sent via 
+[the `Authorization` header](https://spec.matrix.org/v1.6/application-service-api/#authorization)], making the insecure
+query parameter authorization redundant. Since removing the ability to continue to use query parameters could break 
+backwards compatibility it has now been put behind a configuration option, `use_appservice_legacy_authorization`.  
+This option defaults to false, but can be activated by adding 
+```yaml
+use_appservice_legacy_authorization: true 
+```
+to your configuration.
+
 # Upgrading to v1.89.0
 
 ## Removal of unspecced `user` property for `/register`
@@ -97,7 +112,6 @@ The standard `username` property should be used instead. See the
 [Application Service specification](https://spec.matrix.org/v1.7/application-service-api/#server-admin-style-permissions)
 for more information.
 
-
 # Upgrading to v1.88.0
 
 ## Minimum supported Python version
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
index c32608da2b..2987c9332d 100644
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -2849,6 +2849,20 @@ Example configuration:
 track_appservice_user_ips: true
 ```
 ---
+### `use_appservice_legacy_authorization`
+
+Whether to send the application service access tokens via the `access_token` query parameter
+per older versions of the Matrix specification. Defaults to false. Set to true to enable sending
+access tokens via a query parameter.
+
+**Enabling this option is considered insecure and is not recommended. **
+
+Example configuration:
+```yaml
+use_appservice_legacy_authorization: true 
+```
+
+---
 ### `macaroon_secret_key`
 
 A secret which is used to sign
author	Shay <hillerys@element.io>	2023-08-03 11:43:51 -0700
committer	GitHub <noreply@github.com>	2023-08-03 11:43:51 -0700
commit	0a5f4f766514b84aff84ff17dffd5301a437c797 (patch)
tree	a7909bcb2d741ba0fb4d9787ae633d974c64add5 /docs
parent	Allow config of the backoff algorithm for the federation client. (#15754) (diff)
download	synapse-0a5f4f766514b84aff84ff17dffd5301a437c797.tar.xz