Deprecate query string authorization for /_matrix/federation/v1/openid/userinfo

[Johennes]

Suggestion

The GET /_matrix/federation/v1/openid/userinfo endpoint currently takes the access token as a query parameter. This is contrary to OIDC's own definition of /userinfo which uses the Authorization header to submit the token. It's also somewhat contrary to MSC4126 where query string authorization was removed from the CS and IS APIs.

Unless there are reasons against it, I think we should introduce header authorization and deprecate query string authorization on this endpoint, too.

[turt2live]

As a federation endpoint, there will be other Authorization headers. I'm not sure if these would cause conflict.

[Johennes]

Hm, yeah you're right:

Authorization: X-Matrix origin="origin.hs.example.com",destination="destination.hs.example.com",key="ed25519:key1",sig="ABCDEF..."

So I guess the best we could do is append the token to the custom X-Matrix scheme with a dedicated key. Not sure if that would make things better or worse. 🤔