diff --git a/crates/data-model/src/compat.rs b/crates/data-model/src/compat.rs
index 7f6e0b1e..7bb97933 100644
--- a/crates/data-model/src/compat.rs
+++ b/crates/data-model/src/compat.rs
@@ -46,7 +46,9 @@ impl Device {
#[must_use]
pub fn to_scope_token(&self) -> ScopeToken {
// SAFETY: the inner id should only have valid scope characters
- format!("urn:matrix:device:{}", self.id).parse().unwrap()
+ format!("urn:matrix:org.matrix.msc2967.client:device:{}", self.id)
+ .parse()
+ .unwrap()
}
/// Generate a random device ID
diff --git a/crates/handlers/src/oauth2/authorization/complete.rs b/crates/handlers/src/oauth2/authorization/complete.rs
index eebff629..8c837d05 100644
--- a/crates/handlers/src/oauth2/authorization/complete.rs
+++ b/crates/handlers/src/oauth2/authorization/complete.rs
@@ -219,7 +219,7 @@ pub(crate) async fn complete(
let lacks_consent = grant
.scope
.difference(¤t_consent)
- .any(|scope| !scope.starts_with("urn:matrix:device:"));
+ .any(|scope| !scope.starts_with("urn:matrix:org.matrix.msc2967.client:device:"));
// Check if the client lacks consent *or* if consent was explicitely asked
if lacks_consent || grant.requires_consent {
diff --git a/crates/handlers/src/oauth2/consent.rs b/crates/handlers/src/oauth2/consent.rs
index 4bfd79fc..0410edb3 100644
--- a/crates/handlers/src/oauth2/consent.rs
+++ b/crates/handlers/src/oauth2/consent.rs
@@ -153,11 +153,11 @@ pub(crate) async fn post(
return Err(anyhow::anyhow!("policy violation").into());
}
- // Do not consent for the "urn:matrix:device:*" scope
+ // Do not consent for the "urn:matrix:org.matrix.msc2967.client:device:*" scope
let scope_without_device = grant
.scope
.iter()
- .filter(|s| !s.starts_with("urn:matrix:device:"))
+ .filter(|s| !s.starts_with("urn:matrix:org.matrix.msc2967.client:device:"))
.cloned()
.collect();
insert_client_consent(
diff --git a/crates/oauth2-types/src/scope.rs b/crates/oauth2-types/src/scope.rs
index bb24508f..7c6aa6e8 100644
--- a/crates/oauth2-types/src/scope.rs
+++ b/crates/oauth2-types/src/scope.rs
@@ -206,6 +206,6 @@ mod tests {
);
assert!(Scope::from_str("http://example.com").is_ok());
- assert!(Scope::from_str("urn:matrix:*").is_ok());
+ assert!(Scope::from_str("urn:matrix:org.matrix.msc2967.client:*").is_ok());
}
}
diff --git a/crates/policy/policies/authorization_grant.rego b/crates/policy/policies/authorization_grant.rego
index ffb0befe..a7c604e1 100644
--- a/crates/policy/policies/authorization_grant.rego
+++ b/crates/policy/policies/authorization_grant.rego
@@ -21,10 +21,10 @@ allowed_scope("urn:synapse:admin:*") {
}
allowed_scope(scope) {
- regex.match("urn:matrix:device:[A-Za-z0-9-]{10,}", scope)
+ regex.match("urn:matrix:org.matrix.msc2967.client:device:[A-Za-z0-9-]{10,}", scope)
}
-allowed_scope("urn:matrix:api:*") = true
+allowed_scope("urn:matrix:org.matrix.msc2967.client:api:*") = true
violation[{"msg": msg}] {
some scope in split(input.authorization_grant.scope, " ")
@@ -34,5 +34,5 @@ violation[{"msg": msg}] {
violation[{"msg": "only one device scope is allowed at a time"}] {
scope_list := split(input.authorization_grant.scope, " ")
- count({key | scope_list[key]; startswith(scope_list[key], "urn:matrix:device:")}) > 1
+ count({key | scope_list[key]; startswith(scope_list[key], "urn:matrix:org.matrix.msc2967.client:device:")}) > 1
}
diff --git a/crates/policy/policies/authorization_grant_test.rego b/crates/policy/policies/authorization_grant_test.rego
index ba4adf5c..f852c5d7 100644
--- a/crates/policy/policies/authorization_grant_test.rego
+++ b/crates/policy/policies/authorization_grant_test.rego
@@ -23,33 +23,33 @@ test_standard_scopes {
test_matrix_scopes {
allow with input.user as user
- with input.authorization_grant as {"scope": "urn:matrix:api:*"}
+ with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:api:*"}
}
test_device_scopes {
allow with input.user as user
- with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01"}
+ with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01"}
allow with input.user as user
- with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01-asdasdsa1-2313"}
+ with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01-asdasdsa1-2313"}
# Invalid characters
not allow with input.user as user
- with input.authorization_grant as {"scope": "urn:matrix:device:AABB:CCDDEE"}
+ with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB:CCDDEE"}
not allow with input.user as user
- with input.authorization_grant as {"scope": "urn:matrix:device:AABB*CCDDEE"}
+ with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB*CCDDEE"}
not allow with input.user as user
- with input.authorization_grant as {"scope": "urn:matrix:device:AABB!CCDDEE"}
+ with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AABB!CCDDEE"}
# Too short
not allow with input.user as user
- with input.authorization_grant as {"scope": "urn:matrix:device:abcd"}
+ with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:abcd"}
# Multiple device scope
not allow with input.user as user
- with input.authorization_grant as {"scope": "urn:matrix:device:AAbbCCdd01 urn:matrix:device:AAbbCCdd02"}
+ with input.authorization_grant as {"scope": "urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd01 urn:matrix:org.matrix.msc2967.client:device:AAbbCCdd02"}
}
test_synapse_admin_scopes {
diff --git a/crates/templates/src/res/pages/consent.html b/crates/templates/src/res/pages/consent.html
index 3bcc314e..5f376535 100644
--- a/crates/templates/src/res/pages/consent.html
+++ b/crates/templates/src/res/pages/consent.html
@@ -40,7 +40,7 @@ limitations under the License.
{% for scope in grant.scope | split(pat=" ") %}
{% if scope == "openid" %}
See your profile info and contact details
- {% elif scope is matching("^urn:matrix:device:") %}
+ {% elif scope is matching("^urn:matrix:org.matrix.msc2967.client:device:") %}
View your existing messages and data
Send new messages on your behalf
{% else %}