Make central IS opt-in (#80 )

Fix doc layout (cosmetic)
Add LDAP TLS config value in logs
2018-05-31 13:24:00 +02:00 · 2018-05-18 01:47:43 +02:00 · 2018-05-16 15:42:24 +02:00 · 2018-04-26 01:45:04 +02:00 · 2018-04-22 19:27:52 +02:00 · 2018-04-22 00:39:18 +02:00
57 changed files with 1193 additions and 1314 deletions
--- a/README.md
+++ b/README.md
@@ -1,10 +1,10 @@
-mxisd - Federated Matrix Identity Server Daemon
+mxisd - Federated Matrix Identity Server
-----
+----------------------------------------
 ![Travis-CI build status](https://travis-ci.org/kamax-io/mxisd.svg?branch=master)  
 - [Overview](#overview)
 - [Features](#features)
- [Why use mxisd](#why-use-mxisd)
+- [Use cases](#use-cases)
 - [Getting Started](#getting-started)
 - [Support](#support)
 - [Contribute](#contribute)
@@ -13,80 +13,77 @@ mxisd - Federated Matrix Identity Server Daemon
 # Overview
 mxisd is a Federated Matrix Identity server for self-hosted Matrix infrastructures with [enhanced features](#features).
 As an enhanced Identity service, it implements the [Matrix Identity service API](https://kamax.io/matrix/api/identity_service/unstable.html)
 and several [extra features](#features) that greatly enhance user experience within Matrix.
 It is the one stop shop for anything regarding Authentication, Directory and Identity management in Matrix built in a
 single coherent product.
-It is specifically designed to connect to an Identity store (AD/Samba/LDAP, SQL Database, Web services/application, ...)
+mxisd is specifically designed to connect to an existing on-premise Identity store (AD/Samba/LDAP, SQL Database,
-and ease the integration of the Matrix ecosystem with an existing infrastructure, or to build a new one using lasting
+Web services/app, etc.) and ease the integration of a Matrix infrastructure within an existing one.
 tools.
-The core principle of mxisd is to map between Matrix IDs and 3PIDs (Third-party Identifiers) for the Homeserver and its
+The core principle of mxisd is to map between Matrix IDs and 3PIDs (Third-Party IDentifiers) for the Homeserver and its
-users. 3PIDs can be anything that identify a user, like:
+users. 3PIDs can be anything that uniquely and globally identify a user, like:
 - Full name
 - Email address
 - Phone number
 - Employee number
 - Skype/Live ID
 - Twitter handle
 - Facebook ID
 - ...
-mxisd is an enhanced Identity service, which implements the
+If you are unfamiliar with the Identity vocabulary and concepts in Matrix, **please read this [introduction](docs/concepts.md)**.
 [Matrix Identity service API](https://matrix.org/docs/spec/identity_service/unstable.html) but also several
 [other features](#features) that greatly enhance user experience within Matrix.
 mxisd is the one stop shop for anything regarding Authentication, Directory and Identity management in Matrix built as a
 single coherent product.
 # Features
-As a [regular Matrix Identity service](docs/features/identity.md):
+[Identity](docs/features/identity.md): As a [regular Matrix Identity service](https://kamax.io/matrix/api/identity_service/unstable.html#general-principles):
- Search for people by 3PID using its own Identity stores (LDAP, SQL, etc.)
+- Search for people by 3PID using its own Identity stores
- Invite people to rooms by 3PID using its own Identity stores, with [notifications](docs/README.md)
+  ([Spec](https://kamax.io/matrix/api/identity_service/unstable.html#association-lookup))
-to the invitee (Email, SMS, etc.)
+- Invite people to rooms by 3PID using its own Identity stores, with notifications to the invitee (Email, SMS, etc.)
  ([Spec](https://kamax.io/matrix/api/identity_service/unstable.html#post-matrix-identity-api-v1-store-invite))
 - Allow users to add 3PIDs to their settings/profile
  ([Spec](https://kamax.io/matrix/api/identity_service/unstable.html#establishing-associations))
 - Register accounts on your Homeserver with 3PIDs
  ([Spec](https://kamax.io/matrix/api/identity_service/unstable.html#establishing-associations))
 As an enhanced Identity service:
- Use a recursive lookup mechanism when searching and inviting people by 3PID, allowing to fetch data from:
+- [Federation](docs/features/federation.md): Use a recursive lookup mechanism when searching and inviting people by 3PID,
-  - Own Identity store
+  allowing to fetch data from:
  - Own Identity store(s)
  - Federated Identity servers, if applicable to the 3PID
  - Arbitrary Identity servers
  - Central Matrix Identity servers
- [Extensive control of where 3PIDs are transmited](docs/sessions/3pid.md), so they are not leaked publicly by users
+- [Session Control](docs/threepids/session/session.md): Extensive control of where 3PIDs are transmitted so they are not
- [Authentication support](docs/features/authentication.md) for [synapse](https://github.com/matrix-org/synapse) via the
+  leaked publicly by users
-[REST auth module](https://github.com/kamax-io/matrix-synapse-rest-auth)
+- [Authentication](docs/features/authentication.md): Use your Identity stores to perform authentication in [synapse](https://github.com/matrix-org/synapse)
- [Directory integration](docs/features/directory-users.md) which allows you to search for users within your
+  via the [REST password provider](https://github.com/kamax-io/matrix-synapse-rest-auth)
-organisation, even without prior Matrix contact
+- [Directory search](docs/features/directory.md) which allows you to search for users within your organisation,
- [Auto-fill of user profile](docs/features/authentication.md) (Display name, 3PIDs) via the
+  even without prior contact within Matrix using arbitrary search terms
-[REST auth module](https://github.com/kamax-io/matrix-synapse-rest-auth)
+- [Auto-fill of user profile](docs/features/authentication.md#profile-auto-fill) (Display name, 3PIDs)
 - [Bridge Integration](docs/features/bridge-integration.md): Automatically bridge users without a published Matrix ID
-# Why use mxisd
+# Use cases
- Use your existing Identity store, do not duplicate information
+- Use your existing Identity stores, do not duplicate your users information
 - Auto-fill user profiles with relevant information
- As an organisation, stay in control of 3PIDs so they are not published to the central Matrix.org servers where they
+- As an organisation, stay in control of your data so it is not published to other servers by default where they
-currently **cannot be removed**
+  currently **cannot be removed**
 - Users can directly find each other using whatever attribute is relevant within your Identity store
- Federate your Identity lookups so you can discover others and/or others can discover you, all with extensive ACLs
+- Federate your Identity server so you can discover others and/or others can discover you
 # Getting started
 See the [dedicated document](docs/getting-started.md)
 # Support
 ## Community
-If you need help, want to report a bug or just say hi, you can reach us on Matrix at 
+Over Matrix: [#mxisd:kamax.io](https://matrix.to/#/#mxisd:kamax.io) ([Preview](https://view.matrix.org/room/!NPRUEisLjcaMtHIzDr:kamax.io/))
 [#mxisd:kamax.io](https://matrix.to/#/#mxisd:kamax.io) or
 [directly peek anonymously](https://view.matrix.org/room/!NPRUEisLjcaMtHIzDr:kamax.io/).
 For more high-level discussion about the Identity Server architecture/API, go to 
 [#matrix-identity:matrix.org](https://matrix.to/#/#matrix-identity:matrix.org)
-## Professional
+For more high-level discussion about the Identity Server architecture/API, go to  [#matrix-identity:kamax.io](https://matrix.to/#/#matrix-identity:kamax.io)
 ## Commercial
 If you would prefer professional support/custom development for mxisd and/or for Matrix in general, including other open
-source technologies/products, please visit [our website](https://www.kamax.io/) to get in touch with us and get a quote.
+source technologies/products:
-
+- Visit our [website](https://www.kamax.io/) to get in touch with us and get a quote.
-We offer affordable monthly/yearly support plans for mxisd, synapse or your full Matrix infrastructure.
+- Come in our general Matrix room: [#kamax-matrix:kamax.io](https://matrix.to/#/#kamax-matrix:kamax.io)
 # Contribute
 First and foremost, the best way to contribute is to use mxisd and tell us about it!  
 We would love to hear about your experience and get your feedback on how to make it an awesome product. 
 # Contribute 
 You can contribute as a community member by:
 - Giving us feedback about your usage of mxisd, even if it seems unimportant or if all is working well!
 - Opening issues for any weird behaviour or bug. mxisd should feel natural, let us know if it does not!
 - Helping us improve the documentation: tell us what is good or not good (in an issue or in Matrix), or make a PR with
 changes you feel improve the doc.
@@ -95,7 +92,7 @@ changes you feel improve the doc.
 be used for the fixed costs and developer time of mxisd.
 You can contribute as an organisation/corporation by:
- Get a [support contract](#support-professional). This is the best way you can help us as it ensures mxisd is
+- Get a [support contract](#commercial). This is the best way you can help us as it ensures mxisd is
 maintained regularly and you get direct access to the support team.
 - Sponsoring new features or bug fixes. [Get in touch](#contact) so we can discuss it further.
@@ -104,5 +101,5 @@ See the [dedicated document](docs/faq.md)
 # Contact
 Get in touch via:
- Matrix at [#mxisd:kamax.io](https://matrix.to/#/#mxisd:kamax.io)
+- Matrix: [#mxisd:kamax.io](https://matrix.to/#/#mxisd:kamax.io)
- Email, see our website: [Kamax.io](https://www.kamax.io)
+- Email: see our website: [Kamax.io](https://www.kamax.io)
--- a/application.example.yaml
+++ b/application.example.yaml
@@ -47,18 +47,33 @@ key.path: ''
 storage.provider.sqlite.database: '/path/to/mxisd.db'
 ####################
 # Fallback servers #
 ####################
 #
 # Root/Central servers to be used as final fallback when performing lookups.
 # By default, for privacy reasons, matrix.org servers are not enabled anymore.
 # See the following issue: https://github.com/kamax-io/mxisd/issues/76
 #
 # If you would like to use them and trade away your privacy for convenience, uncomment the following option:
 #
 #forward.servers: ['matrix-org']
 ################
 # LDAP Backend #
 ################
 # If you would like to integrate with your AD/Samba/LDAP server,
 # see https://github.com/kamax-io/mxisd/blob/master/docs/backends/ldap.md
 ###############
 # SQL Backend #
 ###############
 # If you would like to integrate with a MySQL/MariaDB/PostgreQL/SQLite DB,
 # see https://github.com/kamax-io/mxisd/blob/master/docs/backends/sql.md
 ################
 # REST Backend #
 ################
--- a/build.gradle
+++ b/build.gradle
@@ -66,6 +66,7 @@ buildscript {
 repositories {
    maven { url "https://kamax.io/maven/releases/" }
    maven { url "https://kamax.io/maven/snapshots/" }
    mavenCentral()
 }
@@ -80,7 +81,7 @@ dependencies {
    compile "org.springframework.boot:spring-boot-starter-thymeleaf:1.5.10.RELEASE"
    // Matrix Java SDK
-    compile 'io.kamax:matrix-java-sdk:0.0.8'
+    compile 'io.kamax:matrix-java-sdk:0.0.11'
    // ed25519 handling
    compile 'net.i2p.crypto:eddsa:0.1.0'
@@ -94,9 +95,6 @@ dependencies {
    // HTTP connections
    compile 'org.apache.httpcomponents:httpclient:4.5.3'
    // JSON
    compile 'com.google.code.gson:gson:2.8.1'
    // Phone numbers validation
    compile 'com.googlecode.libphonenumber:libphonenumber:8.7.1'
--- a/docs/README.md
+++ b/docs/README.md
@@ -1,26 +1,22 @@
 # Table of Contents
-
+- [Build from sources](build.md) (Optional)
 - Installation
  - [Debian package](install/debian.md)
  - [ArchLinux](install/archlinux.md)
  - [Docker](install/docker.md)
- [Build from source](build.md)
+  - [From source](install/source.md)
 - [Architecture overview](architecture.md)
 - [Configuration](configure.md)
 - Features
-  - [Matrix Identity Service](features/identity.md)
+  - [Authentication](features/authentication.md)
-  - [Homeserver Authentication](features/authentication.md)
+  - [Directory search](features/directory.md)
-  - [Directory seach](features/directory-users.md)
+  - [Identity](features/identity.md)
-  - [Identity server Federation](features/federation.md)
+  - [Federation](features/federation.md)
  - [Bridge integration](features/bridge-integration.md)
- Backends
+- [Identity Stores](stores/README.md)
  - [LDAP](backends/ldap.md)
  - [SQL](backends/sql.md)
  - [REST](backends/rest.md)
  - [Google Firebase](backends/firebase.md)
  - [Wordpress](backends/wordpress.md)
 - Notifications
  - Handlers
-    - [Basic](threepids/notifications/basic-handler.md)
+    - [Basic](threepids/notification/basic-handler.md)
-    - [SendGrid](threepids/notifications/sendgrid-handler.md)
+    - [SendGrid](threepids/notification/sendgrid-handler.md)
- [Sessions](sessions/3pid.md)
+- [Sessions](threepids/session/session.md)
-  - [Views](sessions/3pid-views.md)
+  - [Views](threepids/session/session-views.md)
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -1,6 +1,6 @@
 # Architecture
 ## Overview
-### Basic setup without integration or incoming federation
+### Basic setup with default settings
 ```
 Client
   |
@@ -14,17 +14,14 @@ TCP 443
       +--|------------------+            +---|-----------------------+
          |                                   |
          +<---------------------------------<+
-          |                                          Backends
+          |
-          |   +-------------------+                  +------+    +--------+
+          |   +-------------------+
- TCP 8090 +-> | mxisd             |          +-----> | LDAP | -> | SQL DB |
+ TCP 8090 +-> | mxisd             |
-              |                   |          |       +------+    +--------+ ....
+              |                   |
-              | - Profile's 3PIDs >----+     |
+              | - Profile's 3PIDs |
-              | - 3PID Invites    |    |     |
+              | - 3PID Invites    |
-              +-|-----------------+    +>----+
+              +-|-----------------+
-                |                      |     |       +--------------------------+
+                |
                |                      |     |       | Central Identity service |
                +>-------------------->+     +-----> | Matrix.org / Vector.im   |
                |                            TCP 443 +--------------------------+
             TCP 443
                |  +------------------------+
                |  | Remote Federated       |
@@ -37,7 +34,7 @@ TCP 443
 See the [dedicated document](features/authentication.md).
 ### With Directory
-See the [dedicated document](features/directory-users.md).
+See the [dedicated document](features/directory.md).
 ### With Federation
 See the [dedicated document](features/federation.md).
--- a/docs/backends/firebase.md
+++ b/docs/backends/firebase.md
@@ -1,19 +0,0 @@
 # Google Firebase
 https://firebase.google.com/
 ## Requirements
 This backend requires a suitable Matrix client capable of performing Firebase authentication and passing the following
 information:
 - Firebase User ID as Matrix username
 - Firebase token as Matrix password
 If your client is Riot, you will need a custom version.
 ## Configuration
 To be completed. For now, see default structure and values:
 ```
 firebase:
  enabled: false
  credentials: '/path/to/firebase/credentials.json'
  database: 'https://my-project.firebaseio.com/'
 ```
--- a/docs/backends/ldap.md
+++ b/docs/backends/ldap.md
@@ -1,140 +0,0 @@
 # LDAP (Samba / Active Directory / OpenLDAP)
 ## Getting started
 To use your LDAP backend, add the bare minimum configuration in mxisd config file:
 ```
 ldap.enabled: true
 ldap.connection.host: 'ldapHostnameOrIp'
 ldap.connection.bindDn: 'CN=My Mxisd User,OU=Users,DC=example,DC=org'
 ldap.connection.bindPassword: 'TheUserPassword'
 ldap.connection.baseDn: 'OU=Users,DC=example,DC=org'
 ```
 These are standard LDAP connection configuration. mxisd will try to connect on port default port 389 without encryption.
 ---
 If you would like to use a TLS/SSL connection, use the following configuration options (STARTLS not supported):
 ```
 ldap.connection.tls: true
 ldap.connection.port: 12345
 ```
 ---
 You can also set a default global filter on any LDAP queries:
 ```
 ldap.filter: '(memberOf=CN=My Matrix Users,OU=Groups,DC=example,DC=org)'
 ```
 This example would only return users part of the group called `My Matrix Users`.
 This can be overwritten or append in each specific flow describe below.
 ---
 LDAP features are based on mapping LDAP attributes to Matrix concepts, like a Matrix ID, its localpart, the user display
 name, their email(s) and/or phone number(s).
 Default attributes are well suited for Active Directory/Samba. In case you are using a native LDAP backend, you will
 most certainly configure those mappings.
 The following example would set the `uid` attribute as localpart and the Matrix display name to `cn`
 ```
 ldap.attribute.uid.type: 'uid'
 ldap.attribute.uid.value: 'uid'
 ldap.attribute.name: 'cn'
 ```
 You can also change the attribute lists for 3PID, like email or phone numbers.  
 The following example would overwrite the [default list of attributes](../../src/main/resources/application.yaml#L67)
 for emails and phone number:
 ```
 ldap.attribute.threepid.email:
  - 'mail'
  - 'otherMailAttribute'
 ldap.attribute.threepid.msisdn:
  - 'phone'
  - 'otherPhoneAttribute'
 ```
 ## Identity
 Identity features (related to 3PID invites or searches) are enabled and configured using default values and no specific
 configuration item is needed to get started.
 If you would like to overwrite some global configuration relative to filter and/or attributes, see the Identity section
 of the Configuration below.
 ## Authentication
 No further configuration is needed to enable authentication with LDAP once globally enabled and configured.  
 You have the possiblity to use a different query filter if you wish, see Configuration below.
 Profile auto-fill is enabled by default. It will use the `name` and `threepid` configuration options to get a lit of
 attributes to be used to build the user profile to pass on to synapse during authentication.
 ## Directory
 No further configuration is needed to enable directory with LDAP once globally enabled and configured.
 If you would like to use extra attributes in search that are not 3PIDs, like nicknames, group names, employee number:
 ```
 ldap.directory.attribute.other:
  - 'myNicknameAttribute'
  - 'memberOf'
  - 'employeeNumberAttribute'
 ```
 ## Configuration
 Please read the [Configuration](../configure.md) explanatory note if you are not familiar with the terms used below.
 ### General
 Base path: `ldap`
 | Item      | Description                                                                               |
 |-----------|-------------------------------------------------------------------------------------------|
 | `enabled` | Globaly enable/disable the LDAP backend                                                   |
 | `filter`  | Global filter to apply on all LDAP queries. Can be overwritten in each applicable section |
 ### Connection
 Base path: `ldap.connection`
 | Item           | Description                                          |
 |----------------|------------------------------------------------------|
 | `host`         | Host to connect to                                   |
 | `port`         | Port to use                                          |
 | `tls`          | boolean to use TLS or not (STARTLS is not supported) |
 | `bindDn`       | Bind DN for authentication                           |
 | `bindPassword` | Bind password                                        |
 | `baseDn`       | Base DN for queries                                  |
 ### Attributes
 Base path: `ldap.attribute`
 | Item        | Description                                                                                                            |
 |-------------|------------------------------------------------------------------------------------------------------------------------|
 | `uid.type`  | Indicate how to process the User ID (UID) attribute:                                                                   |
 |             |   - `uid` will consider the value as the [Localpart](https://matrix.org/docs/spec/intro.html#user-identifiers)         |
 |             |   - `mxid` will consider the value as a complete [Matrix ID](https://matrix.org/docs/spec/intro.html#user-identifiers) |
 | `uid.value` | Attribute name refering to the User ID. This is typically `userPrincipalName` on AD/Samba setups and `uid` in LDAP     |
 | `name`      | Attribute name that contains the [Display Name](https://matrix.org/docs/spec/intro.html#profiles) of the user          |
 | `threepid`  | Namespace where each key is a 3PID type and contains a list of attributes                                              |
 ### Authentication
 Base path: `ldap.auth`
 | Item     | Description                                                                                      |
 |----------|--------------------------------------------------------------------------------------------------|
 | `filter` | Specific user filter applied during authentication. Global filter is used if empty/blank/not set |
 ### Directory
 Base path: `ldap.directory`
 | Item              | Description                                                         |
 |-------------------|---------------------------------------------------------------------|
 | `attribute.other` | Additional attributes to be used when performing directory searches |
 | `filter`          | Specific user filter applied during directory search.               |
 |                   | Global filter is used if empty/blank/not set                        |
 ### Identity
 Base path: `ldap.identity`
 | Item     | Description                                                                                       |
 |----------|---------------------------------------------------------------------------------------------------|
 | `filter` | Specific user filter applied during identity search. Global filter is used if empty/blank/not set | 
 | `medium` | Namespace to overwrite generated queries from the list of attributes for each 3PID medium         |
--- a/docs/backends/sql.md
+++ b/docs/backends/sql.md
@@ -1,23 +0,0 @@
 # SQL Backend
 ## Configuration
 To be completed. For now, see default structure and values:
 ```
 sql:
  enabled: false
  type: 'sqlite' or 'postgresql'
  connection: ''
  auth:
    enabled: false
  directory:
    enabled: false
    query:
      name:
        type: 'localpart'
        value: 'SELECT 1'
      threepid:
        type: 'localpart'
        value: 'SELECT 1'
  identity:
    type: 'localpart'
    query: 'SELECT user_id AS uid FROM user_threepids WHERE medium = ? AND address = ?'
 ```
--- a/docs/build.md
+++ b/docs/build.md
@@ -1,105 +1,73 @@
 # From source
 - [Binaries](#binaries)
  - [Requirements](#requirements)
  - [Build](#build)
 - [Debian package](#debian-package)
 - [Docker image](#docker-image)
 - [Next steps](#next-steps)
 ## Binaries
 ### Requirements
 - JDK 1.8
 ### Build
-```
+```bash
 git clone https://github.com/kamax-io/mxisd.git
 cd mxisd
 ./gradlew build
 ```
 Create a new configuration file by coping `application.example.yaml` to `application.yaml` and edit to your needs.  
-For advanced configuration, see the [Configure section](configure.md).
+For advanced configuration, see the [Configure section](configure.md).  
 **NOTE**: `application.yaml` is also called `mxisd.yaml` in some specific installations.
 Start the server in foreground to validate the build and configuration:
-```
+```bash
 java -jar build/libs/mxisd.jar
 ```
 Ensure the signing key is available:
-```
+```bash
 $ curl 'http://localhost:8090/_matrix/identity/api/v1/pubkey/ed25519:0'
 {"public_key":"..."}
 ```
 Test basic recursive lookup (requires Internet connection with access to TCP 443):
-```
+```bash
-$ curl 'http://localhost:8090/_matrix/identity/api/v1/lookup?medium=email&address=mxisd-lookup-test@kamax.io'
+$ curl 'http://localhost:8090/_matrix/identity/api/v1/lookup?medium=email&address=mxisd-federation-test@kamax.io'
-{"address":"mxisd-lookup-test@kamax.io","medium":"email","mxid":"@mxisd-lookup-test:kamax.io",...}
+{"address":"mxisd-federation-test@kamax.io","medium":"email","mxid":"@mxisd-lookup-test:kamax.io",...}
 ```
 If you enabled LDAP, you can also validate your config with a similar request after replacing the `address` value with
 something present within your LDAP
-```
+```bash
 curl 'http://localhost:8090/_matrix/identity/api/v1/lookup?medium=email&address=john.doe@example.org'
 ```
 If you plan on testing the integration with a homeserver, you will need to run an HTTPS reverse proxy in front of it
 as the reference Home Server implementation [synapse](https://github.com/matrix-org/synapse) requires a HTTPS connection
 to an ID server.  
 See the [Integration section](#integration) for more details.
-### Install
+Next step: [Install your compiled binaries](install/source.md)
 1. Prepare files and directories:
 ```
 # Create a dedicated user
 useradd -r mxisd
 # Create bin directory
 mkdir /opt/mxisd
 # Create config directory and set ownership
 mkdir /etc/opt/mxisd
 chown mxisd /etc/opt/mxisd
 # Create data directory and set ownership
 mkdir /var/opt/mxisd
 chown mxisd /var/opt/mxisd
 # Copy <repo root>/build/libs/mxisd.jar to bin directory
 cp ./build/libs/mxisd.jar /opt/mxisd/
 chown mxisd /opt/mxisd/mxisd.jar
 chmod a+x /opt/mxisd/mxisd.jar
 # Create symlink for easy exec
 ln -s /opt/mxisd/mxisd.jar /usr/bin/mxisd
 ```
 2. Copy the sample config file `./application.example.yaml` to `/etc/opt/mxisd/mxisd.yaml`, edit to your needs
 4. Copy `<repo root>/src/systemd/mxisd.service` to `/etc/systemd/system/` and edit if needed
 5. Enable service for auto-startup
 ```
 systemctl enable mxisd
 ```
 6. Start mxisd
 ```
 systemctl start mxisd
 ```
 ## Debian package
-### Requirements
+Requirements:
 - fakeroot
 - dpkg-deb
 ### Build
 [Build mxisd](#build) then:
-```
+```bash
 ./gradlew buildDeb 
 ```
-You will find the debian package in `build/dist`
+You will find the debian package in `build/dist`.  
 Then follow the instruction in the [Debian package](install/debian.md) document.
 ## Docker image
 [Build mxisd](#build) then:
-```
+```bash
 ./gradlew dockerBuild
 ```
-You can run a container of the given image and test it with the following command (adapt volumes host paths):
+Then follow the instructions in the [Docker install](install/docker.md#configure) document.
-```
+
-docker run -v /data/mxisd/etc:/etc/mxisd -v /data/mxisd/var:/var/mxisd -p 8090:8090 -t kamax/mxisd:latest-dev
+## Next steps
-```
+- [Integrate with your infrastructure](getting-started.md#integrate)
--- a/docs/concepts.md
+++ b/docs/concepts.md
@@ -0,0 +1,43 @@
 # Concepts
 - [Matrix](#matrix)
 - [mxisd](#mxisd)
 ## Matrix
 The following concepts are part of the Matrix ecosystem and specification.
 ### 3PID
 `3PID` stands for Third-Party Identifier.  
 It is also commonly written:
 - `3pid`
 - `tpid`
 A 3PID is a globally unique canonical identifier which is made of:
 - Medium, which describes what network it belongs to (Email, Phone, Twitter, Discord, etc.)
 - Address, the actual value people typically use on a daily basis.
 mxisd core mission is to map those identifiers to Matrix User IDs.
 ### Homeserver
 Where a user **account and data** are stored.
 ### Identity server
 An Identity server:
 - Does lookup of 3PIDs to User Matrix IDs.
 - Does validate 3PIDs ownership, typically by sending a code that the user has to enter in an application/on a website.
 - Does send notifications about room invites where no Matrix User ID could be found for the invitee.
 An Identity server:
 - **DOES NOT** store user accounts.
 - **DOES NOT** store user data.
 - **DOES NOT** allow migration of user account and/or data between homeservers. 
 ### 3PID session
 The fact to validate a 3PID (email, phone number, etc.) via the introduction of a token which was sent to the 3PID address.
 ## mxisd
 The following concepts are specific to mxisd.
 ### Identity store
 Where your user accounts and 3PID mappings are stored.
 mxisd itself **DOES NOT STORE** user accounts or 3PID mappings.
--- a/docs/configure.md
+++ b/docs/configure.md
@@ -1,18 +1,25 @@
 # Configuration
- [Syntax](#syntax)
+- [Concepts](#concepts)
- [Variables](#variables)
+  - [Syntax](#syntax)
- [Categories](#categories)
+  - [Variables](#variables)
 - [Matrix](#matrix)
 - [Server](#server)
 - [Storage](#storage)
 - [Identity stores](#identity-stores)
 - [3PID Validation sessions](#3pid-validation-sessions)
 - [Notifications](#notifications)
-## Syntax
+## Concepts
-The configuration file is YAML based, allowing two types of syntax.
+### Syntax
 The configuration file is [YAML](http://yaml.org/) based, allowing two types of syntax.
 Properties-like:
-```
+```yaml
 my.config.item: 'value'
 ```
 Object-like:
-```
+```yaml
 my:
  config:
    item: 'value'
@@ -21,12 +28,10 @@ my:
 These can also be combined within the same file.  
 Both syntax will be used interchangeably in these documents.
-Default values for each possible option are documented [here](../src/main/resources/application.yaml)
+### Variables
 ## Variables
 It is possible to copy the value of a configuration item into another using the syntax `${config.key.item}`.  
 Example that will copy the value of `matrix.domain` into `server.name`:
-```
+```yaml
 matrix:
  domain: 'example.org'
@@ -36,148 +41,62 @@ server:
 **WARNING:** mxisd might overwrite/adapt some values during launch. Those changes will not be reflected into copied keys.
 ## Categories
 For each category below, the base configuration path will be given, which needs to be appended to every configuration
 item described.
-Example: if the base path was `basePath` and the following table was given:
+## Matrix
-
+`matrix.domain`
-| Name | Purpose |
+Matrix domain name, same as the Homeserver, used to build appropriate Matrix IDs |
 |------|---------|
 | item1 | To give an example |
 | item2 | To give another example |
 The following configurations could be used, all being equivalent:
 ```
 basePath.item1: 'myValue'
 basePath.item2: 'myOtherValue'
 ```
 ```
 basePath:
  item1: 'myValue'
  item2: 'myOtherValue'
 ```
 ```
 basePath.item1: 'myValue'
 basePath:
  item2: 'myOtherValue'
 ```
 ---
-In case a relative base path is given, it is appended to the one above.
+`matrix.identity.servers`
-
+Namespace to create arbitrary list of Identity servers, usable in other parts of the configuration |
 Example: With base path `basePath`, the relative base `relativeBasePath` and the following table:
 | Name | Purpose |
 |------|---------|
 | item1 | To give an example |
 | item2 | To give another example |
 The following configurations could be used, all being equivalent:
 ```
 basePath.relativeBasePath.item1: 'myValue'
 basePath.relativeBasePath.item2: 'myOtherValue'
 ```
 ```
 basePath:
  relativeBasePath:
    item1: 'myValue'
    item2: 'myOtherValue'
 ```
 ```
 basePath.relativeBasePath.item1: 'myValue'
 basePath:
  relativeBasePath:
    item2: 'myOtherValue'
 ```
 ### Matrix
 Base path: `matrix`
 | Name | Purpose |
 |------|---------|
 | `domain` | Matrix domain name, same as the Homeserver, used to build appropriate Matrix IDs |
 ---
 Relative base path: `identity`
 | Name | Purpose |
 |------|---------|
 | `servers` | Namespace to create arbitrary list of Identity servers, usable in other parts of the configuration |
 Example:
-```
+```yaml
 matrix.identity.servers:
-  root:
+  myOtherServers:
-    - 'https://matrix.org'
+    - 'https://other1.example.org'
    - 'https://other2.example.org'
 ```
 Create a list under the label `root` containing a single Identity server, `https://matrix.org`
 ### Server
 | Name | Purpose |
 |------|---------|
 | `name` | Public hostname of mxisd, if different from the Matrix domain |
 | `port` | HTTP port to listen on (unencrypted) |
 | `publicUrl` | Defaults to `https://${server.name}` |
-### Storage
+## Server
-Base path: `storage`
+- `server.name`: Public hostname of mxisd, if different from the Matrix domain.
 - `server.port`: HTTP port to listen on (unencrypted)
 - `server.publicUrl`: Defaults to `https://${server.name}`
-| Name | Purpose |
+## Storage
-|------|---------|
+### SQLite
-| `backend` | Specify which SQL backend to use. only `sqlite` is currently supported. |
+`storage.provider.sqlite.database`: Absolute location of the SQLite database
---
+## Identity stores
-Relative base path: `provider.sqlite`
+See the [Identity stores](stores/README.md) for specific configuration
-| Name | Purpose |
+## 3PID Validation sessions
-|------|---------|
+See the dedicated documents:
-| `database` | Absolute location of the SQLite database |
+- [Flow](threepids/session/session.md)
 - [Branding](threepids/session/session-views.md)
-### Backends
+## Notifications
- [LDAP](backends/ldap.md)
+- `notification.handler.<3PID medium>`: Handler to use for the given 3PID medium. Repeatable.
 - [SQL](backends/sql.md)
 - [REST](backends/rest.md)
 - [Google Firebase](backends/firebase.md)
 ### Lookups
 work in progress, should not be configured.
 ### Sessions
 See the [dedicated document](sessions/3pid.md)
 ### Notifications
 Base path: `notification`
 | Name | Purpose |
 |------|---------|
 | handler | Namespace to specify the handler to use for each 3PID |
 | handlers | Namespace used by individual handlers for their own configuration |
 Example:
 ```yaml
 notification.handler.email: 'sendgrid'
 notification.handler.msisdn: 'raw'
 ```
-notification:
+- Emails notifications would use the `sendgrid` handler, which define its own configuration under `notification.handlers.sendgrid`
  handler:
    email: 'sendgrid'
    msisdn: 'raw'
  handlers:
    raw:
      ...
    sendgrid:
      ...
 ```
 - Emails notifications would use the `sendgrid` handler, which define its own configuration user `handlers.sendgrid`
 - Phone notification would use the `raw` handler, basic default built-in handler of mxisd
-#### Handlers
+
-Relative base path: `handlers`
+### Handlers
 - `notification.handers.<handler ID>`: Handler-specific configuration for the given handler ID. Repeatable.
 Example:
 ```yaml
 notification.handlers.raw: ...
 notification.handlers.sendgrid: ...
 ```
 Built-in:
- [Basic](threepids/notifications/basic-handler.md)
+- [Raw](threepids/notification/basic-handler.md)
- [SendGrid](threepids/notifications/sendgrid-handler.md)
+- [SendGrid](threepids/notification/sendgrid-handler.md)
 ### Views
 See the [dedicated document](sessions/3pid-views.md)
 ### DNS Overwite
 Specific to other features.
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -1,9 +1,27 @@
-# FAQ
+# Frequently Asked Questions
-### Do I need to use mxisd if I run a Homeserver?
+### This is all very complicated and I'm getting confused with all the words, concepts and diagrams - Help!
-No, but it is recommended, even if you don't use any backends or integration.
+Matrix is still a very young protocol and there are a whole lot of rough edges.  
 Identity in Matrix is one of the most difficult topic, mainly as it has not received much love in the past years.
-In its default configuration, mxisd will talk to the central Matrix Identity servers and use other federated public
+We have tried our best to put together documentation that requires almost no knowledge of Matrix inner workings to get a
-servers when performing queries, giving you access to at least the same information as if you were not running it.
+first basic setup running which relies on you reading the documentation in the right order:
 - [The  Concepts](concepts.md) in few words.
 - [Getting Started](getting-started.md) step-by-step to a minimal working install.
 - [Identity stores](stores/README.md) you wish to fetch data from.
 - [Features](features) you are interested in that will use your Identity store(s) data.
 **IMPORTANT**: Be aware that mxisd tries to fit within the current protocol and existing products and basic understanding
 of the Matrix protocol is required for some advanced features.
 If all fails, come over to [the project room](https://matrix.to/#/#mxisd:kamax.io) and we'll do our best to get you
 started and answer questions you might have.
 ### Do I need to use mxisd if I run a Homeserver?
 No, but it is strongly recommended, even if you don't use any Identity store or integration.
 In its default configuration, mxisd uses other federated public servers when performing queries.  
 It can also [be configured](features/identity.md#lookups) to use the central matrix.org servers, giving you access to at
 least the same information as if you were not running it.
 It will also give your users a choice to make their 3PIDs available publicly, ensuring they are made aware of the
 privacy consequences, which is not the case with the central Matrix.org servers.
@@ -11,7 +29,24 @@ privacy consequences, which is not the case with the central Matrix.org servers.
 So mxisd is like your gatekeeper and guardian angel. It does not change what you already know, just adds some nice
 simple features on top of it.
-### I already use the synapse LDAP3 auth provider, why should I care about mxisd?
+### I'm not sure I understand what an "Identity server" is supposed to be or do...
 The current Identity service API is more a placeholder, as the Matrix devs did not have time so far to really work on
 what they want to do with that part of the ecosystem. Therefore, "Identity" is currently a misleading word and concept.
 Given the scope of the current Identity Service API, it would be best called "Invitation service".
 Because the current scope is so limited and no integration is done with the Homeserver, there was a big lack of features
 for groups/corporations/organisation. This is where mxisd comes in.
 mxisd implements the Identity Service API and also a set of features which are expected by regular users, truly living
 up to its "Identity server" name.
 ### Can I migrate my existing account on another Matrix server with mxisd?
 No.
 Accounts cannot currently migrate/move from one server to another.  
 See a [brief explanation document](concepts.md) about Matrix and mxisd concepts and vocabulary.
 ### I already use the synapse LDAP3 auth provider. Why should I care about mxisd?
 The [synapse LDAP3 auth provider](https://github.com/matrix-org/matrix-synapse-ldap3) is not longer maintained and
 only handles on specific flow: validate credentials at login.
@@ -19,12 +54,11 @@ It does not:
 - Auto-provision user profiles
 - Integrate with Identity management
 - Integrate with Directory searches
 - Protect you against the username case sensitivites issues in synapse
-mxisd is a replacement and enhancement of it, offering coherent results in all areas, which LDAP3 auth provider
+mxisd is a replacement and enhancement of it, offering coherent results in all areas, which the LDAP3 auth provider
 does not.
-### Sydent is the official Identity server implementation of the Matrix team, why not use that?
+### Sydent is the official Identity server implementation of the Matrix team. Why not use that?
 You can, but [sydent](https://github.com/matrix-org/sydent):
 - [should not be used and/or self-hosted](https://github.com/matrix-org/sydent/issues/22)
 - is not meant to be linked to a specific Homeserver / domain
@@ -35,31 +69,19 @@ You can, but [sydent](https://github.com/matrix-org/sydent):
 So really, you should go with mxisd.
 ### Will I loose access to the central Matrix.org/Vector.im Identity data if I use mxisd?
-In its default configuration, mxisd act as a proxy to Matrix.org/Vector.im. You will have access to the same data and
+No.
 behaviour than if you were using them directly. There is no downside in using mxisd with the default configuration.
-mxisd can also be configured not to talk to the central Identity servers if you wish.
+In its default configuration, mxisd does not talk to the central Identity server matrix.org to avoid leaking your private
 data and those of people you might know.
-### I'm not sure I understand what an "Identity server" is supposed to be or do
+mxisd [can be configured](features/identity.md#lookups) to talk to the central Identity servers if you wish.
 The current Identity service API is more a placeholder, as the Matrix devs did not have time so far to really work on
 what they want to do with that part of the ecosystem. Therefore, "Identity" is a misleading word currently.  
 Given the scope of the current Identity Service API, it would be best called "Invitation service".
 Because the current scope is so limited and no integration is done with the Homeserver, there was a big lack of features
 for groups/corporations/organisation. This is where mxisd comes in.
 mxisd implements the Identity Service API and also a set of features which are expected by regular users, truly living
 up to its "Identity server" name.
 ### So mxisd is just a big hack! I don't want to use non-official features!
-mxisd primary concern is to always be compatible with the Matrix ecosystem and the Identity service API.  
+mxisd primary concerns are your privacy and to always be compatible with the Matrix ecosystem and the Identity service API.  
 Whenever the API will be updated and/or enhanced, mxisd will follow, remaining 100% compatible with the ecosystem.
 We also directly talk with the Matrix developers to ensure all features we implement have their approval, and that we
 are in line with their vision of Identity management within the Matrix ecosystem.
 Therefore, using mxisd is a safe choice. It will be like using the central Matrix.org Identity servers, yet not closing
 the door to very nice enhancements and integrations.
 ### Should I use mxisd if I don't host my own Homeserver?
-No
+No.
 It is possible, but it is not supported and the scope of features will be extremely limited.
 Please consider hosting your own Homeserver and using mxisd alongside it.
--- a/docs/features/authentication.md
+++ b/docs/features/authentication.md
@@ -1,60 +1,59 @@
 # Authentication
 - [Description](#description)
- [Overview](#overview)
+- [Basic](#basic)
- [Getting started](#getting-started)
+  - [Overview](#overview)
-  - [Synapse](#synapse)
+  - [synapse](#synapse)
  - [mxisd](#mxisd)
  - [Validate](#validate)
- [Next steps](#next-steps)
+  - [Next steps](#next-steps)
-  - [Profile auto-fil](#profile-auto-fill)
+    - [Profile auto-fil](#profile-auto-fill)
- [Advanced Authentication](#advanced-authentication)
+- [Advanced](#advanced)
  - [Overview](#overview-1)
  - [Requirements](#requirements)
  - [Configuration](#configuration)
    - [Reverse Proxy](#reverse-proxy)
      - [Apache2](#apache2)
    - [DNS Overwrite](#dns-overwrite)
    - [Backends](#backends) 
 ## Description
-Authentication is an enhanced Identity feature of mxisd to ensure coherent and centralized identity management.
+Authentication is an enhanced feature of mxisd to ensure coherent and centralized identity management.  
 It allows to use Identity stores configured in mxisd to authenticate users on your Homeserver.
-This feature can also provide the ability to users to login on the Homeserver using their third party identities (3PIDs) provided by an Identity store.
+Authentication is divided into two parts:
 - [Basic](#basic): authenticate with a regular username.
 - [Advanced](#advanced): same as basic with extra ability to authenticate using a 3PID.
-## Overview
+## Basic
-An overview of the Authentication process is depicted below: 
+Authentication by username is possible by linking synapse and mxisd together using a specific module for synapse, also
 known as password provider.
 ### Overview
 An overview of the Basic Authentication process:
 ```
-                                                                                    Backends
+                                                                                    Identity stores
 Client                                                                             +------+
   |                                            +-------------------------+    +--> | LDAP |
   |   +---------------+  /_matrix/identity     | mxisd                   |    |    +------+
   +-> | Reverse proxy | >------------------+   |                         |    |
       +--|------------+                    |   |                         |    |    +--------+
-          |                                 +-----> Check with backends >------+--> | SQL DB |
+          |                                 +-----> Check ID stores     >------+--> | SQL DB |
     Login request                          |   |                         |    |    +--------+
          |                                 |   |     |                   |    |
-          |   +--------------------------+  |   +-----|-------------------+    +-->  Others
+          |   +--------------------------+  |   +-----|-------------------+    +-->  ...
          +-> | Homeserver               |  |         |
              |                          |  |         |
              | - Validate credentials >----+         |
              |   Using REST auth module |            |
              |                          |            |
              | - Auto-provision <-------------------<+
-              |   user profiles          |    If valid credentials and supported by backend
+              |   user profiles          |    If valid credentials and supported by Identity store(s)
              +--------------------------+
 ```
 Performed on [synapse with REST auth module](https://github.com/kamax-io/matrix-synapse-rest-auth/blob/master/README.md)
 ## Getting started
 Authentication is possible by linking synapse and mxisd together using the REST auth module
 (also known as password provider).
 ### Synapse
- Install the [REST auth module](https://github.com/kamax-io/matrix-synapse-rest-auth).
+- Install the [password provider](https://github.com/kamax-io/matrix-synapse-rest-auth)
- Edit your synapse configuration:
+- Edit your **synapse** configuration:
  - As described by the auth module documentation
  - Set `endpoint` to `http://mxisdAddress:8090` - Replace `mxisdAddress` by an IP/host name that provides a direct
  connection to mxisd.  
@@ -62,25 +61,23 @@ Authentication is possible by linking synapse and mxisd together using the REST
 - Restart synapse
 ### mxisd
- Configure and enable at least one [Identity store](../backends/)
+- Configure and enable at least one [Identity store](../stores/README.md)
 - Restart mxisd
 ### Validate
-Login on the Homeserver using credentials present in your backend.
+Login on the Homeserver using credentials present in one of your Identity stores.
 ## Next steps
 ### Profile auto-fill
-Auto-filling user profile depends on two conditions:
+Auto-filling user profile depends on its support by your configured Identity stores.  
- The REST auth module is configured for it, which is the case by default
+See your Identity store [documentation](../stores/README.md) on how to enable the feature.
 - Your Identity store is configured to provide profile data. See your Identity store [documentation](../backends/) on
 how to enable the feature.
-## Advanced Authentication
+## Advanced
-The Authentication feature allows users to login to their Homeserver by using their 3PIDs registered in an available Identity store.
+The Authentication feature allows users to login to their Homeserver by using their 3PIDs in a configured Identity store.
 ### Overview
 This is performed by intercepting the Homeserver endpoint `/_matrix/client/r0/login` as depicted below:
 ```
            +----------------------------+
            |  Reverse Proxy             |
@@ -106,31 +103,28 @@ Client+---->| /_matrix/client/r0/login +---------------->|
 Steps of user authentication using a 3PID:
 1. The intercepted login request is directly sent to mxisd instead of the Homeserver.
-2. Enabled backends are queried for a matching user identity in order to modify the request to use the user name.
+2. Identity stores are queried for a matching user identity in order to modify the request to use the user name.
-3. The Homeserver, from which the request was intercepted, is queried using the request at previous step. Its address is resolved using the DNS Overwrite feature to reach its internal address on a non-encrypted port.
+3. The Homeserver, from which the request was intercepted, is queried using the request at previous step.
   Its address is resolved using the DNS Overwrite feature to reach its internal address on a non-encrypted port.
 4. The response from the Homeserver is sent back to the client, believing it was the HS which directly answered.
 ### Requirements
 - [Basic Authentication configured and working](#basic)
 - Reverse proxy setup
 - Homeserver
- Compatible Identity backends:
+- Compatible [Identity store](../stores/README.md)
 	- LDAP
 	- REST
 	- Wordpress
 ### Configuration
 #### Reverse Proxy
 ##### Apache2
 The specific configuration to put under the relevant `VirtualHost`:
-```
+```apache
 ProxyPass /_matrix/client/r0/login http://localhost:8090/_matrix/client/r0/login
 ```
-`ProxyPreserveHost` or equivalent must be enabled to detect to which Homeserver mxisd should talk to when building results.
+`ProxyPreserveHost` or equivalent **must** be enabled to detect to which Homeserver mxisd should talk to when building results.
-Your VirtualHost should now look like this:
+Your VirtualHost should now look similar to:
-```
+```apache
 <VirtualHost *:443>
    ServerName example.org
@@ -138,25 +132,23 @@ Your VirtualHost should now look like this:
    ProxyPreserveHost on
    ProxyPass /_matrix/client/r0/login http://localhost:8090/_matrix/client/r0/login
-    ProxyPass /_matrix/identity/ http://localhost:8090/_matrix/identity/
+    ProxyPass /_matrix/identity http://localhost:8090/_matrix/identity
-    ProxyPass /_matrix/ http://localhost:8008/_matrix/
+    ProxyPass /_matrix http://localhost:8008/_matrix
 </VirtualHost>
 ```
 #### DNS Overwrite
-Just like you need to configure a reverse proxy to send client requests to mxisd, you also need to configure mxisd with the internal IP of the Homeserver so it can talk to it directly to integrate its directory search.
+Just like you need to configure a reverse proxy to send client requests to mxisd, you also need to configure mxisd with
 the internal IP of the Homeserver so it can talk to it directly to integrate its directory search.
-
+To do so, put the following configuration in your mxisd configuration:
-To do so, put the following configuration in your `application.yaml`:
+```yaml
 ```
 dns.overwrite.homeserver.client:
  - name: 'example.org'
    value: 'http://localhost:8008'
 ```
 `name` must be the hostname of the URL that clients use when connecting to the Homeserver.
-In case the hostname is the same as your Matrix domain, you can use `${matrix.domain}` to auto-populate the `value` using the `matrix.domain` configuration option and avoid duplicating it.
+In case the hostname is the same as your Matrix domain, you can use `${matrix.domain}` to auto-populate the `value`
 using the `matrix.domain` configuration option and avoid duplicating it.
-value is the base internal URL of the Homeserver, without any /_matrix/.. or trailing /.
+`value` is the base internal URL of the Homeserver, without any `/_matrix/..` or trailing `/`.
 #### Backends
 The Backends should be configured as described in the documentation of the [Directory User](directory-users.md) feature. 
--- a/docs/features/bridge-integration.md
+++ b/docs/features/bridge-integration.md
@@ -1 +1,28 @@
-To be documented
+# Bridge Integration
 To help natural bridge integration into the regular usage of a Matrix client, mxisd provides a way for bridge to reply
 to 3PID queries if no mapping was found, allowing seamless bridging to a network.
 This is performed by implementing a specific endpoint on the bridge to map a 3PID lookup to a virtual user.
 **NOTE**: This document is incomplete and might be misleading. In doubt, come in our Matrix room.  
 You can also look at our [Email Bridge README](https://github.com/kamax-io/matrix-appservice-email#mxisd) for an example
 of working configuration.
 ## Configuration
 ```yaml
 lookup.recursive.bridge.enabled: <boolean>
 lookup.recursive.bridge.recursiveOnly: <boolean>
 lookup.recursive.bridge.server: <URL to the bridge endpoint for all 3PID medium>
 lookup.recursive.bridge.mappings:
  <3PID MEDIUM HERE>: <URL to dedicated bridge for that medium>
 ```
 ## Integration
 Implement a simplified version of the [Identity service single lookup endpoint](https://kamax.io/matrix/api/identity_service/unstable.html#get-matrix-identity-api-v1-lookup)
 with only the following parameters needed:
 - `address`
 - `medium`
 - `mxid`
 Or an empty object if no resolution exists or desired.
--- a/docs/features/directory-users.md
+++ b/docs/features/directory-users.md
@@ -7,10 +7,6 @@
    - [Apache2](#apache2)
    - [nginx](#nginx)
  - [DNS Overwrite](#dns-overwrite)
  - [Backends](#backends)
    - [LDAP](#ldap)
    - [SQL](#sql)
    - [REST](#rest)
 - [Next steps](#next-steps)
 ## Description
@@ -18,17 +14,17 @@ This feature allows you to search for existing and/or potential users that are a
 or that already share a room with you on the Homeserver.
 Without any integration, synapse:
- Only search within the users **already** known to you
+- Only search within the users **already** known to you or in public rooms
 - Only search on the Display Name and the Matrix ID
-With mxisd integration, you can:
+By enabling this feature, you can by default:
 - Search on Matrix ID, Display name and 3PIDs (Email, phone numbers) of any users already in your configured backend
 - Search for users which you are not in contact with yet. Super useful for corporations who want to give Matrix access
 internally, so users can just find themselves **prior** to having any common room(s)
- Use any attribute of your backend to extend the search!
+- Add extra attributes of your backend to extend the search
- Include your homeserver search results to those found by mxisd (default behaviour, no configuration required)
+- Include your homeserver search results to those found by mxisd
-By integrating mxisd, you get the default behaviour with all the extras, ensuring your users will always find each other.
+By integrating mxisd, you get the default behaviour and a bunch of extras, ensuring your users will always find each other.
 ## Overview
 This is performed by intercepting the Homeserver endpoint `/_matrix/client/r0/user_directory/search` like so:
@@ -49,31 +45,28 @@ Client --> | Reverse proxy
 ```
 Steps:
 1. The intercepted request is directly sent to mxisd instead of the Homeserver.
-2. Enabled backends are queried for any match on the search value sent by the client.
+2. Identity stores are queried for any match on the search value sent by the client.
 3. The Homeserver, from which the request was intercepted, is queried using the same request as the client.
-Its address is resolved using the DNS Overwrite feature to reach its internal address on a non-encrypted port.
+   Its address is resolved using the DNS Overwrite feature to reach its internal address on a non-encrypted port.
-4. Results from backends and the Homeserver are merged together and sent back to the client, believing it was the HS
+4. Results from Identity stores and the Homeserver are merged together and sent back to the client, believing it was the HS
 which directly answered the request.
 ## Requirements
 - Reverse proxy setup, which you should already have in place if you use mxisd
- Compatible backends:
+- At least one compatible [Identity store](../stores/README.md) enabled
  - LDAP
  - SQL
  - REST
 ## Configuration
 ### Reverse Proxy
 #### Apache2
 The specific configuration to put under the relevant `VirtualHost`:
-```
+```apache
 ProxyPass /_matrix/client/r0/user_directory/ http://0.0.0.0:8090/_matrix/client/r0/user_directory/
 ```
 `ProxyPreserveHost` or equivalent must be enabled to detect to which Homeserver mxisd should talk to when building
 results.
 Your `VirtualHost` should now look like this:
-```
+```apache
 <VirtualHost *:443>
    ServerName example.org
@@ -81,14 +74,14 @@ Your `VirtualHost` should now look like this:
    ProxyPreserveHost on
    ProxyPass /_matrix/client/r0/user_directory/ http://localhost:8090/_matrix/client/r0/user_directory/
-    ProxyPass /_matrix/identity/ http://localhost:8090/_matrix/identity/
+    ProxyPass /_matrix/identity http://localhost:8090/_matrix/identity
-    ProxyPass /_matrix/ http://localhost:8008/_matrix/
+    ProxyPass /_matrix http://localhost:8008/_matrix
 </VirtualHost>
 ```
 #### nginx
 The specific configuration to add under your `server` section is:
-```
+```nginx
 location /_matrix/client/r0/user_directory {
    proxy_pass http://0.0.0.0:8090/_matrix/client/r0/user_directory;
    proxy_set_header Host $host;
@@ -97,7 +90,7 @@ location /_matrix/client/r0/user_directory {
 ```
 Your `server` section should now look like this:
-```
+```nginx
 server {
    listen 443 ssl;
    server_name example.org;
@@ -129,7 +122,7 @@ Just like you need to configure a reverse proxy to send client requests to mxisd
 the internal IP of the Homeserver so it can talk to it directly to integrate its directory search.
 To do so, use the following configuration:
-```
+```yaml
 dns.overwrite.homeserver.client:
  - name: 'example.org'
    value: 'http://localhost:8008'
@@ -138,94 +131,12 @@ dns.overwrite.homeserver.client:
 In case the hostname is the same as your Matrix domain, you can use `${matrix.domain}` to auto-populate the value using
 the `matrix.domain` configuration option and avoid duplicating it.
-`value` is the base intenral URL of the Homeserver, without any `/_matrix/..` or trailing `/`.
+`value` is the base internal URL of the Homeserver, without any `/_matrix/..` or trailing `/`.
 ### Backends
 #### LDAP
 To ensure Directory feature works, here's how the LDAP configuration should look like:
 ```
 ldap:
  enabled: false
  filter: '(memberOf=CN=Matrix Users,OU=Groups,DC=example,DC=org)'
  connection:
    host: 'ldapIpOrDomain'
    bindDn: 'CN=Matrix Identity Server,OU=Accounts,DC=example,DC=org'
    bindPassword: 'mxisd'
    baseDn: 'OU=Accounts,DC=example,DC=org'
  attribute:
    uid:
      type: 'uid'
      value: 'userPrincipalName'
    name: 'displayName'
    threepid:
      email:
        - 'mailPrimaryAddress'
        - 'mail'
        - 'otherMailbox'
      msisdn:
        - 'telephoneNumber'
        - 'mobile'
        - 'homePhone'
        - 'otherTelephone'
        - 'otherMobile'
        - 'otherHomePhone'
  directory:
    attribute:
      other:
        - 'employeeNumber'
        - 'someOtherAttribute'
 ```
 Only include the `attribute` sub-sections if you would like to set another value. Else, it is best not to include them
 to inherit the default values.
 If you would like to include an attribute which is not a display name or a 3PID, you can use the
 `directory.attribute.other` to list any extra attributes you want included in searches. If you do not want to include
 any extra attribute, that configuration section can be skipped. 
 #### SQL
 If you plan to integrate directory search directly with synapse, use the `synapseSql` provider, based on the following
 config:
 ```
 synapseSql:
  enabled: true
  type: <database ID>
  connection: '<connection info>'
 ```
 `type` and `connection`, including any other configuration item, follow the same values as the regular [SQL backend](../backends/sql.md).
 ---
 For the regular SQL backend, the following configuration items are available:
 ```
 sql:
  directory:
    enabled: true
    query:
      name:
        type: 'localpart'
        value: 'SELECT idColumn, displayNameColumn FROM table WHERE displayNameColumn LIKE ?'
      threepid:
        type: 'localpart'
        value: 'SELECT idColumn, displayNameColumn FROM table WHERE threepidColumn LIKE ?'
 ```
 For each query, `type` can be used to tell mxisd how to process the ID column:
 - `localpart` will append the `matrix.domain` to it
 - `mxid` will use the ID as-is. If it is not a valid Matrix ID, the search will fail.
 `value` is the SQL query and must return two columns:
 - The first being the User ID
 - The second being its display name
 #### REST
 See the [dedicated document](../backends/rest.md)
 #### Wordpress
 See the [dedicated document](../backends/wordpress.md)
 ## Next steps
 ### Homeserver results
 You can configure if the Homeserver should be queried at all when doing a directory search.  
-To disable Homeserver results, set the following in mxisd config file:
+To disable Homeserver results, set the following in mxisd configuration file:
-```
+```yaml
 directory.exclude.homeserever: true
 ```
--- a/docs/features/federation.md
+++ b/docs/features/federation.md
@@ -1,4 +1,15 @@
-# Identity service Federation
+# Federation
 Federation is the process by which domain owners can make compatible 3PIDs mapping auto-discoverable by looking for another
 Federated Identity server using the DNS domain part of the 3PID.
 Emails are the best candidate for this kind of resolution which are DNS domain based already.  
 On the other hand, Phone numbers cannot be resolved this way.
 For 3PIDs which are not compatible with the DNS system, mxisd can be configured to talk to fallback Identity servers like
 the central matrix.org one. See the [Identity feature](identity.md#lookups) for instructions on how to enable it.
 Outbound federation is enabled by default while inbound federation is opt-in and require a specific DNS record.
 ## Overview
 ```
              +-------------------+   +-------------> +----------+
@@ -6,28 +17,33 @@
              |                   |   |      +------> +----------+
              |                   |   |      |
              | Invites / Lookups |   |      |
- Federated    | +--------+        |   |      |        +-------------------+
+ Federated    | +--------+        |   |      |
- Identity  ---->| Remote |>-----------+      +------> | Remote Federated  |
+ Identity  ---->| Remote |>-----------+      |
- Server       | +--------+        |          |        | mxisd servers     |
+ Server       | +--------+        |          |
-              |                   |          |        +-------------------+
+              |                   |          |
-              | +--------+        |          |
+              | +--------+        |          |        +-------------------+
- Homeserver --->| Local  |>------------------+
+ Homeserver --->| Local  |>------------------+------> | Remote Federated  |
- and clients  | +--------+        |          |        +--------------------------+ 
+ and clients  | +--------+        |                   | mxisd servers     |
-              +-------------------+          +------> | Central Identity service |
+              +-------------------+                   +-------------------+
                                                      | Matrix.org / Vector.im   |
                                                      +--------------------------+
 ```
 To allow other federated Identity Server to reach yours, the same algorithm used for Homeservers takes place:
 1. Check for the appropriate DNS SRV record
 2. If not found, use the base domain
-## Configuration
+## Inbound
-If your Identity Server public hostname does not match your Matrix domain, configure the following DNS SRV entry 
+If you would like to be reachable for lookups over federation, create the following DNS SRV entry and replace
-and replace `matrix.example.com` by your Identity server public hostname - **Make sure to end with a final dot!**
+`matrix.example.com` by your Identity server public hostname:
 ```
 _matrix-identity._tcp.example.com. 3600 IN SRV 10 0 443 matrix.example.com.
 ``` 
 This would only apply for 3PID that are DNS-based, like e-mails. For anything else, like phone numbers, no federation 
 is currently possible.  
 The port must be HTTPS capable which is what you get in a regular setup with a reverse proxy from 443 to TCP 8090 of mxisd.
 ## Outbound
 If you would like to disable outbound federation and isolate your identity server from the rest of the Matrix network,
 use the following mxisd configuration options:
 ```yaml
 lookup.recursive.enabled: false
 invite.resolution.recursive: false
 session.policy.validation.forLocal.toRemote.enabled: false
 session.policy.validation.forRemote.toRemote.enabled: false
 ``` 
 There is currently no way to selectively disable federation towards specific servers, but this feature is planned.
--- a/docs/features/identity.md
+++ b/docs/features/identity.md
@@ -1,9 +1,19 @@
-# Matrix Identity Service
+# Identity
 **WARNING**: This document is incomplete and can be missleading.
 Implementation of the [Unofficial Matrix Identity Service API](https://kamax.io/matrix/api/identity_service/unstable.html).
-## Invitation
+## Lookups
 If you would like to use the central matrix.org Identity server to ensure maximum discovery at the cost of potentially
 leaking all your contacts information, add the following to your configuration:
 ```yaml
 forward.servers:
  - 'matrix-org'
 ```
 **NOTE:** You should carefully consider enabling this option, which is discouraged.  
 For more info, see the [relevant issue](https://github.com/kamax-io/mxisd/issues/76).
 ## Room Invitations
 Resolution can be customized using the following configuration:
 `invite.resolution.recursive`  
@@ -16,3 +26,6 @@ Resolution can be customized using the following configuration:
 `invite.resolution.timer`  
 - Default value: `1`  
 - Description: How often, in minutes, mxisd should try to resolve pending invites.
 ## 3PID addition to user profile
 See the [3PID session documents](../threepids/session)
--- a/docs/features/profile.md
+++ b/docs/features/profile.md
@@ -1,12 +1,9 @@
 # Profile enhancement
 **WARNING**: Alpha feature not officially supported. Do not use.
 ## Configuration
 ### Reverse proxy
 #### Apache
-```
+```apache
 ProxyPassMatch "^/_matrix/client/r0/profile/([^/]+)$" "http://127.0.0.1:8090/_matrix/client/r0/profile/$1"
 ProxyPassMatch "^/_matrix/client/r0/profile/([^/]+)/(.+)" "http://127.0.0.1:8008/_matrix/client/r0/profile/$1/$2"
 ```
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -7,19 +7,18 @@
 6. [Next steps](#next-steps)
 Following these quick start instructions, you will have a basic setup that can perform recursive/federated lookups and
-talk to the central Matrix.org Identity service.  
+talk to the central Matrix.org Identity server.  
-This will be a good ground work for further integration with your existing Identity stores.
+This will be a good ground work for further integration with features and your existing Identity stores.
 ## Preparation
 You will need:
 - Homeserver
 - Reverse proxy with regular TLS/SSL certificate (Let's encrypt) for your mxisd domain
-As synapse requires an HTTPS connection when talking to an Identity service, a reverse proxy is required as mxisd does
+As synapse requires an HTTPS connection when talking to an Identity service, **a reverse proxy is required** as mxisd does
 not support HTTPS listener at this time.
-For maximum integration, it is best to have your Homeserver and mxisd reachable via the same hostname.  
+For maximum integration, it is best to have your Homeserver and mxisd reachable via the same hostname.
 You can also use a dedicated domain for mxisd, but will not have access to some features.
 Be aware of a [NAT/Reverse proxy gotcha](https://github.com/kamax-io/mxisd/wiki/Gotchas#nating) if you use the same
 hostname.
@@ -37,16 +36,16 @@ Install via:
 See the [Latest release](https://github.com/kamax-io/mxisd/releases/latest) for links to each.
 ## Configure
-**NOTE**: please view the install instruction for your platform, as this step might be optional/handled for you.
+**NOTE**: please view the install instruction for your platform, as this step might be optional or already handled for you.
 Create/edit a minimal configuration (see installer doc for the location):
-```
+```yaml
-matrix.domain: 'MyMatrixDomain.org'
+matrix.domain: 'example.org'
 key.path: '/path/to/signing.key.file'
 storage.provider.sqlite.database: '/path/to/mxisd.db'
 ```  
- `matrix.domain` should be set to your Homeserver domain
+- `matrix.domain` should be set to your Homeserver domain (`server_name` in synapse configuration)
- `key.path` will store the signing keys, which must be kept safe!
+- `key.path` will store the signing keys, which must be kept safe! If the file does not exist, keys will be generated for you.
 - `storage.provider.sqlite.database` is the location of the SQLite Database file which will hold state (invites, etc.)
 If your HS/mxisd hostname is not the same as your Matrix domain, configure `server.name`.  
@@ -59,20 +58,20 @@ For an overview of a typical mxisd infrastructure, see the [dedicated document](
 In the `VirtualHost` section handling the domain with SSL, add the following and replace `0.0.0.0` by the internal
 hostname/IP pointing to mxisd.  
 **This line MUST be present before the one for the homeserver!**
-```
+```apache
-ProxyPass /_matrix/identity/ http://0.0.0.0:8090/_matrix/identity/
+ProxyPass /_matrix/identity http://0.0.0.0:8090/_matrix/identity
 ```
 Typical configuration would look like:
-```
+```apache
 <VirtualHost *:443>
    ServerName example.org
    ...
    ProxyPreserveHost on
-    ProxyPass /_matrix/identity/ http://localhost:8090/_matrix/identity/
+    ProxyPass /_matrix/identity http://localhost:8090/_matrix/identity
-    ProxyPass /_matrix/ http://localhost:8008/_matrix/
+    ProxyPass /_matrix http://localhost:8008/_matrix
 </VirtualHost>
 ```
@@ -80,14 +79,14 @@ Typical configuration would look like:
 In the `server` section handling the domain with SSL, add the following and replace `0.0.0.0` with the internal
 hostname/IP pointing to mxisd.
 **This line MUST be present before the one for the homeserver!**
-```
+```nginx
 location /_matrix/identity {
    proxy_pass http://0.0.0.0:8090/_matrix/identity;
 }
 ```
 Typical configuration would look like:
-```
+```nginx
 server {
    listen 443 ssl;
    server_name example.org;
@@ -110,37 +109,27 @@ server {
 ### Synapse
 Add your mxisd domain into the `homeserver.yaml` at `trusted_third_party_id_servers` and restart synapse.  
-In a typical configuration, you would end up with something similair to:
+In a typical configuration, you would end up with something similar to:
-```
+```yaml
 trusted_third_party_id_servers:
    - matrix.org
    - vector.im
    - example.org
 ```
-It is recommended to remove `matrix.org` and `vector.im` so only your own Identity server is authoritative for your HS.
+It is recommended to remove `matrix.org` and `vector.im` (or any other default entry) from your configuration so only
 your own Identity server is authoritative for your HS.
 ## Validate
 Log in using your Matrix client and set `https://example.org` as your Identity server URL, replacing `example.org` by
 the relevant hostname which you configured in your reverse proxy.  
-Invite `mxisd-lookup-test@kamax.io` to a room, which should be turned into a Matrix invite to `@mxisd-lookup-test:kamax.io`.  
+Invite `mxisd-federation-test@kamax.io` to a room, which should be turned into a Matrix invite to `@mxisd-lookup-test:kamax.io`.
-**NOTE:** you might not see a Matrix suggestion for the e-mail address, which is normal. Still proceed with the invite.
+At this point, the test user will join the room, send a congratulation message and leave.  
 **NOTE:** You might not see a suggestion for the e-mail address, which is normal. Still proceed with the invite.
 If it worked, it means you are up and running and can enjoy mxisd in its basic mode! Congratulations!  
-If it did not work, [get in touch](#support) and we'll do our best to get you started.
+If it did not work, [get in touch](../README.md#support) and we'll do our best to get you started.
 You can now integrate mxisd further with your infrastructure using the various [features](README.md) guides.
 ## Next steps
-Once your mxisd server is up and running, here are the next steps to further enhance and integrate your installation:
+Once your mxisd server is up and running, there are several ways you can enhance and integrate further with your
 infrastructure:
-Enable extra features:
+- [Enable extra features](features/)
- [Federation](features/federation.md)
+- [Use your own Identity stores](stores/README.md)
 - [Authenticate with synapse](features/authentication.md), profile auto-provisioning if you wish
 - [Directory search](features/directory-users.md)
 Use your Identity stores:
 - [LDAP / Samba / Active directory](backends/ldap.md)
 - [SQL Database](backends/sql.md)
 - [Website / Web service / Web app](backends/rest.md)
 - [Google Firebase](backends/firebase.md)
 - [Wordpress](backends/wordpress.md)
--- a/docs/install/archlinux.md
+++ b/docs/install/archlinux.md
@@ -0,0 +1,3 @@
 # Arch Linux package
 An Arch Linux package in the AUR repos is maintained by [r3pek](https://matrix.to/#/@r3pek:r3pek.org), a community member.  
 See https://aur.archlinux.org/packages/mxisd/
--- a/docs/install/debian.md
+++ b/docs/install/debian.md
@@ -1,28 +1,28 @@
 # Debian package
 ## Install
-1. Donwload the [latest release](https://github.com/kamax-io/mxisd/releases/latest)
+1. Download the [latest release](https://github.com/kamax-io/mxisd/releases/latest)
 2. Run:
-```
+```bash
 dpkg -i /path/to/downloaded/mxisd.deb
 ```
 ## Files
-| Location                          | Purpose                                      |
+| Location                            | Purpose                                      |
-|-----------------------------------|----------------------------------------------|
+|-------------------------------------|----------------------------------------------|
-| /etc/mxisd                        | Configuration directory                      |
+| `/etc/mxisd`                        | Configuration directory                      |
-| /etc/mxisd/mxisd.yaml             | Main configuration file                      |
+| `/etc/mxisd/mxisd.yaml`             | Main configuration file                      |
-| /etc/mxisd/signing.key            | Default location for mxisd signing keys      |
+| `/etc/systemd/system/mxisd.service` | Systemd configuration file for mxisd service |
-| /etc/systemd/system/mxisd.service | Systemd configuration file for mxisd service |
+| `/usr/lib/mxisd`                    | Binaries                                     |
-| /usr/lib/mxisd                    | Binairies                                    |
+| `/var/lib/mxisd`                    | Data                                         |
-| /var/lib/mxisd                    | Data                                         |
+| `/var/lib/mxisd/signing.key`        | Default location for mxisd signing keys      |
 ## Control
 Start mxisd using:
-```
+```bash
 sudo systemctl start mxisd
 ```
 Stop mxisd using:
-```
+```bash
 sudo systemctl stop mxisd
 ```
@@ -35,5 +35,5 @@ tail -n 99 -f /var/log/syslog | grep mxisd
 ```
 - use Systemd's journal:
 ```
-journalctl -f n 99 -u mxisd
+journalctl -f -n 99 -u mxisd
 ```
--- a/docs/install/docker.md
+++ b/docs/install/docker.md
@@ -1,7 +1,7 @@
 # Docker
 ## Fetch
 Pull the latest stable image:
-```
+```bash
 docker pull kamax/mxisd
 ```
@@ -15,7 +15,7 @@ Use the following command after adapting to your needs:
 - The `MATRIX_DOMAIN` environment variable to yours
 - The volumes host paths
-```
+```bash
 docker run --rm -e MATRIX_DOMAIN=example.org -v /data/mxisd/etc:/etc/mxisd -v /data/mxisd/var:/var/mxisd -p 8090:8090 -t kamax/mxisd
 ```
--- a/docs/install/source.md
+++ b/docs/install/source.md
@@ -0,0 +1,38 @@
 # Install from sources
 ## Instructions
 Follow the [build instructions](../build.md) then:
 1. Prepare files and directories:
 ```bash
 # Create a dedicated user
 useradd -r mxisd
 # Create bin directory
 mkdir /opt/mxisd
 # Create config directory and set ownership
 mkdir -p /etc/opt/mxisd
 chown -R mxisd /etc/opt/mxisd
 # Create data directory and set ownership
 mkdir -p /var/opt/mxisd
 chown -R mxisd /var/opt/mxisd
 # Copy <repo root>/build/libs/mxisd.jar to bin directory
 cp ./build/libs/mxisd.jar /opt/mxisd/
 chown mxisd /opt/mxisd/mxisd.jar
 chmod a+x /opt/mxisd/mxisd.jar
 # Create symlink for easy exec
 ln -s /opt/mxisd/mxisd.jar /usr/bin/mxisd
 ```
 2. Copy the sample config file `./application.example.yaml` to `/etc/opt/mxisd/mxisd.yaml`, edit to your needs
 3. Copy `src/systemd/mxisd.service` to `/etc/systemd/system/` and edit if needed
 4. Enable service for auto-startup
 ```bash
 systemctl enable mxisd
 ```
 5. Start mxisd
 ```bash
 systemctl start mxisd
 ```
--- a/docs/backends/README.md
+++ b/docs/backends/README.md
@@ -1,6 +1,7 @@
-# Identity Stores (Backends)
+# Identity Stores
- [Samba / Active Directory / LDAP](ldap.md)
+- [Synapse](synapse.md)
 - [LDAP-based](ldap.md)
 - [SQL Databases](sql.md)
 - [Website / Web service / Web app](rest.md)
 - [Google Firebase](firebase.md)
- [Wordpress](wordpress.md)
+- [Wordpress](wordpress.md)
--- a/docs/stores/firebase.md
+++ b/docs/stores/firebase.md
@@ -0,0 +1,52 @@
 # Google Firebase Identity store
 https://firebase.google.com/
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | Yes        |
 | Directory      | No         |
 | Identity       | Yes        |
 ## Requirements
 This backend requires a suitable Matrix client capable of performing Firebase authentication and passing the following
 information:
 - Firebase User ID as Matrix username
 - Firebase token as Matrix password
 If your client is Riot, you will need a custom version.
 ## Configuration
 ```yaml
 firebase.enabled: <boolean>
 ```
 Enable/disable this identity store.
 Example:
 ```yaml
 firebase.enabled: <boolean>
 ```
 ---
 ```yaml
 firebase.credentials: <string>
 ```
 Path to the credentials file provided by Google Firebase to use with an external app.
 Example:
 ```yaml
 firebase.credentials: '/path/to/firebase/credentials.json'
 ```
 ---
 ```yaml
 firebase.database: <string>
 ```
 URL to your Firebase database.
 Example:
 ```yaml
 firebase.database: 'https://my-project.firebaseio.com/'
 ```
--- a/docs/stores/ldap.md
+++ b/docs/stores/ldap.md
@@ -0,0 +1,120 @@
 # LDAP Identity store
 ## Supported products:
 - Samba
 - Active Directory
 - OpenLDAP
 - NetIQ eDirectory
 For NetIQ, replace all the `ldap` prefix in the configuration by `netiq`.
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | Yes        |
 | Directory      | Yes        |
 | Identity       | Yes        |
 ## Getting started
 ### Base
 To use your LDAP backend, add the bare minimum configuration in mxisd config file:
 ```yaml
 ldap.enabled: true
 ldap.connection.host: 'ldapHostnameOrIp'
 ldap.connection.port: 389
 ldap.connection.bindDn: 'CN=My Mxisd User,OU=Users,DC=example,DC=org'
 ldap.connection.bindPassword: 'TheUserPassword'
 ldap.connection.baseDn: 'OU=Users,DC=example,DC=org'
 ```
 These are standard LDAP connection configuration. mxisd will try to connect on port default port 389 without encryption.
 ### TLS/SSL connection
 If you would like to use a TLS/SSL connection, use the following configuration options (STARTLS not supported):
 ```yaml
 ldap.connection.tls: true
 ldap.connection.port: 12345
 ```
 ### Filter results
 You can also set a default global filter on any LDAP queries:
 ```yaml
 ldap.filter: '(memberOf=CN=My Matrix Users,OU=Groups,DC=example,DC=org)'
 ```
 This example would only return users part of the group called `My Matrix Users`.
 This can be overwritten or append in each specific flow describe below.
 For supported syntax, see the [LDAP library documentation](http://directory.apache.org/api/user-guide/2.3-searching.html#filter).
 ### Attribute mapping
 LDAP features are based on mapping LDAP attributes to Matrix concepts, like a Matrix ID, its localpart, the user display
 name, their email(s) and/or phone number(s).
 Default attributes are well suited for Active Directory/Samba. In case you are using a native LDAP backend, you will
 most certainly configure those mappings.
 #### User ID
 `ldap.attribute.uid.type`: How to process the User ID (UID) attribute:
 - `uid` will consider the value as the [Localpart](https://matrix.org/docs/spec/intro.html#user-identifiers)
 - `mxid` will consider the value as a complete [Matrix ID](https://matrix.org/docs/spec/intro.html#user-identifiers)
 `ldap.attribute.uid.value`: Attribute to use to set the User ID value.
 The following example would set the `sAMAccountName` attribute as a Matrix User ID localpart:
 ```yaml
 ldap.attribute.uid.type: 'uid'
 ldap.attribute.uid.value: 'sAMAccountName'
 ```
 #### Display name
 Use `ldap.attribute.name`.
 The following example would set the display name to the value of the `cn` attribute:
 ```yaml
 ldap.attribute.name: 'cn'
 ```
 #### 3PIDs
 You can also change the attribute lists for 3PID, like email or phone numbers.
 The following example would overwrite the [default list of attributes](../../src/main/resources/application.yaml#L67)
 for emails and phone number:
 ```yaml
 ldap.attribute.threepid.email:
  - 'mail'
  - 'otherMailAttribute'
 ldap.attribute.threepid.msisdn:
  - 'phone'
  - 'otherPhoneAttribute'
 ```
 ## Features
 ### Identity
 Identity features (related to 3PID invites or searches) are enabled and configured using default values and no specific
 configuration item is needed to get started.
 #### Configuration
 - `ldap.identity.filter`: Specific user filter applied during identity search. Global filter is used if blank/not set.
 - `ldap.identity.medium`: Namespace to overwrite generated queries from the list of attributes for each 3PID medium.
 ### Authentication
 No further configuration is needed to use the Authentication feature with LDAP once globally enabled and configured.
 Profile auto-fill is enabled by default. It will use the `ldap.attribute.name` and `ldap.attribute.threepid` configuration
 options to get a lit of attributes to be used to build the user profile to pass on to synapse during authentication.
 #### Configuration
 - `ldap.auth.filter`: Specific user filter applied during identity search. Global filter is used if blank/not set.
 ### Directory
 No further configuration is needed to use the Directory feature with LDAP once globally enabled and configured.
 #### Configuration
 To set a specific filter applied during directory search, use `ldap.directory.filter`
 If you would like to use extra attributes in search that are not 3PIDs, like nicknames, group names, employee number:
 ```yaml
 ldap.directory.attribute.other:
  - 'myNicknameAttribute'
  - 'memberOf'
  - 'employeeNumberAttribute'
 ```
--- a/docs/backends/rest.md
+++ b/docs/backends/rest.md
@@ -1,27 +1,28 @@
-# REST backend
+# REST Identity store
 The REST backend allows you to query identity data in existing webapps, like:
 - Forums (phpBB, Discourse, etc.)
 - Custom Identity stores (Keycloak, ...)
 - CRMs (Wordpress, ...)
 - self-hosted clouds (Nextcloud, ownCloud, ...)
 It supports the following mxisd flows:
 - [Authentication](#authentication)
 - [Directory](#directory)
 - [Identity](#identity)
 To integrate this backend with your webapp, you will need to implement three specific REST endpoints detailed below.
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | Yes        |
 | Directory      | Yes        |
 | Identity       | Yes        |
 ## Configuration
-| Key                            | Default                                      | Description                                          |
+| Key                              | Default                                        | Description                                          |
---------------------------------|----------------------------------------------|------------------------------------------------------|
+|----------------------------------|------------------------------------------------|------------------------------------------------------|
-| rest.enabled                   | false                                        | Globally enable/disable the REST backend             |
+| `rest.enabled`                   | `false`                                        | Globally enable/disable the REST backend             |
-| rest.host                      | *empty*                                      | Default base URL to use for the different endpoints. |
+| `rest.host`                      | *None*                                        | Default base URL to use for the different endpoints. |
-| rest.endpoints.auth            | /_mxisd/backend/api/v1/auth/login            | Validate credentials and get user profile            |
+| `rest.endpoints.auth`            | `/_mxisd/backend/api/v1/auth/login`            | Validate credentials and get user profile            |
-| rest.endpoints.directory       | /_mxisd/backend/api/v1/directory/user/search | Search for users by arbitrary input                  |
+| `rest.endpoints.directory`       | `/_mxisd/backend/api/v1/directory/user/search` | Search for users by arbitrary input                  |
-| rest.endpoints.identity.single | /_mxisd/backend/api/v1/identity/single       | Endpoint to query a single 3PID                      |
+| `rest.endpoints.identity.single` | `/_mxisd/backend/api/v1/identity/single`       | Endpoint to query a single 3PID                      |
-| rest.endpoints.identity.bulk   | /_mxisd/backend/api/v1/identity/bulk         | Endpoint to query a list of 3PID                     |
+| `rest.endpoints.identity.bulk`   | `/_mxisd/backend/api/v1/identity/bulk`         | Endpoint to query a list of 3PID                     |
 Endpoint values can handle two formats:
 - URL Path starting with `/` that gets happened to the `rest.host`
@@ -35,7 +36,7 @@ HTTP method: `POST`
 Content-type: JSON UTF-8
 #### Request Body
-```
+```json
 {
  "auth": {
    "mxid": "@john.doe:example.org",
@@ -48,7 +49,7 @@ Content-type: JSON UTF-8
 #### Response Body
 If the authentication fails:
-```
+```json
 {
  "auth": {
    "success": false
@@ -59,7 +60,7 @@ If the authentication fails:
 If the authentication succeed:
 - `auth.id` supported values: `localpart`, `mxid`
 - `auth.profile` and any sub-member are all optional
-```
+```json
 {
  "auth": {
    "success": true,
@@ -89,7 +90,7 @@ HTTP method: `POST`
 Content-type: JSON UTF-8
 #### Request Body
-```
+```json
 {
  "by": "<search type>",
  "search_term": "doe"
@@ -101,7 +102,7 @@ Content-type: JSON UTF-8
 #### Response Body:
 If users found:
-```
+```json
 {
  "limited": false,
  "results": [
@@ -118,7 +119,7 @@ If users found:
 ```
 If no user found:
-```
+```json
 {
  "limited": false,
  "results": []
@@ -131,7 +132,7 @@ HTTP method: `POST`
 Content-type: JSON UTF-8  
 #### Request Body
-```
+```json
 {
  "lookup": {
    "medium": "email",
@@ -143,7 +144,7 @@ Content-type: JSON UTF-8
 #### Response Body
 If a match was found:
 - `lookup.id.type` supported values: `localpart`, `mxid`
-```
+```json
 {
  "lookup": {
    "medium": "email",
@@ -157,7 +158,7 @@ If a match was found:
 ```
 If no match was found:
-```
+```json
 {}
 ```
@@ -166,7 +167,7 @@ HTTP method: `POST`
 Content-type: JSON UTF-8  
 #### Request Body
-```
+```json
 {
  "lookup": [
    {
@@ -184,7 +185,7 @@ Content-type: JSON UTF-8
 #### Response Body
 For all entries where a match was found:
 - `lookup[].id.type` supported values: `localpart`, `mxid`
-```
+```json
 {
  "lookup": [
    {
@@ -208,7 +209,7 @@ For all entries where a match was found:
 ```
 If no match was found:
-```
+```json
 {
  "lookup": []
 }
--- a/docs/stores/sql.md
+++ b/docs/stores/sql.md
@@ -0,0 +1,98 @@
 # SQL Identity store
 ## Supported Databases
 - PostgreSQL
 - MariaDB
 - MySQL
 - SQLite
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | No         |
 | Directory      | Yes        |
 | Identity       | Yes        |
 Due to the implementation complexity of supporting arbitrary hashing/encoding mechanisms or auth flow, Authentication
 will be out of scope of SQL Identity stores and should be done via one of the other identity stores, typically
 the [REST Identity store](rest.md).
 ## Configuration
 ### Basic
 ```yaml
 sql.enabled: <boolean>
 ```
 Enable/disable the identity store
 ---
 ```yaml
 sql.type: <string>
 ```
 Set the SQL backend to use:
 - `sqlite`
 - `postgresql`
 - `mariadb`
 - `mysql`
 ### Connection
 #### SQLite
 ```yaml
 sql.connection: <string>
 ```
 Set the value to the absolute path to the Synapse SQLite DB file.
 Example: `/path/to/sqlite/file.db`
 #### Others
 ```yaml
 sql.connection: //<HOST[:PORT]/DB?user=USER&password=PASS
 ```
 Set the connection info for the database by replacing the following values:
 - `HOST`: Hostname of the SQL server
 - `PORT`: Optional port value, if not default
 - `DB`: Database name
 - `USER`: Username for the connection
 - `PASS`: Password for the connection
 This follow the JDBC URI syntax. See [official website](https://docs.oracle.com/javase/tutorial/jdbc/basics/connecting.html#db_connection_url).
 ### Directory
 ```yaml
 sql.directory.enabled: false
 ```
 ---
 ```yaml
 sql.directory.query:
  name:
    type: <string>
    value: <string>
  threepid:
    type: <string>
    value: <string>
 ```
 For each query, `type` can be used to tell mxisd how to process the ID column:
 - `localpart` will append the `matrix.domain` to it
 - `mxid` will use the ID as-is. If it is not a valid Matrix ID, the search will fail.
 `value` is the SQL query and must return two columns:
 - The first being the User ID
 - The second being its display name
 Example:
 ```yaml
 sql.directory.query:
  name:
    type: 'localpart'
    value: 'SELECT idColumn, displayNameColumn FROM table WHERE displayNameColumn LIKE ?'
  threepid:
    type: 'localpart'
    value: 'SELECT idColumn, displayNameColumn FROM table WHERE threepidColumn LIKE ?'
 ```
 ### Identity
 ```yaml
 sql.identity.type: <string>
 sql.identity.query: <string>
 ```
--- a/docs/stores/synapse.md
+++ b/docs/stores/synapse.md
@@ -0,0 +1,48 @@
 # Synapse Identity Store
 Synapse's Database itself can be used as an Identity store.
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | No         |
 | Directory      | Yes        |
 | Identity       | Yes        |
 Authentication is done by Synapse itself.
 ## Configuration
 ### Basic
 ```yaml
 synapseSql.enabled: <boolean>
 ```
 Enable/disable the identity store
 ---
 ```yaml
 synapseSql.type: <string>
 ```
 Set the SQL backend to use which is configured in synapse:
 - `sqlite`
 - `postgresql`
 ### SQLite
 ```yaml
 synapseSql.connection: <string>
 ```
 Set the value to the absolute path to the Synapse SQLite DB file.
 Example: `/path/to/synapse/sqliteFile.db`
 ### PostgreSQL
 ```yaml
 synapseSql.connection: //<HOST[:PORT]/DB?user=USER&password=PASS
 ```
 Set the connection info for the database by replacing the following values:
 - `HOST`: Hostname of the SQL server
 - `PORT`: Optional port value, if not default
 - `DB`: Database name
 - `USER`: Username for the connection
 - `PASS`: Password for the connection
 ### Query customization
 See the [SQL Identity store](sql.md)
--- a/docs/backends/wordpress.md
+++ b/docs/backends/wordpress.md
@@ -1,13 +1,15 @@
-# Wordpress
+# Wordpress Identity store
 This Identity store allows you to use user accounts registered on your Wordpress setup.  
 Two types of connections are required for full support:
 - [REST API](https://developer.wordpress.org/rest-api/) with JWT authentication
 - Direct SQL access
-This Identity store supports the following features:
+## Features
- [Authentication](../features/authentication.md)
+|      Name      | Supported? |
- [Directory](../features/directory-users.md)
+|----------------|------------|
- [Identity](../features/identity.md)
+| Authentication | Yes        |
 | Directory      | Yes        |
 | Identity       | Yes        |
 ## Requirements
 - [Wordpress](https://wordpress.org/download/) >= 4.4
@@ -19,7 +21,7 @@ This Identity store supports the following features:
 ### Wordpress
 #### JWT Auth
 Set a JWT secret into `wp-config.php` like so:
-```
+```php
 define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');
 ```
 `your-top-secret-key` should be set to a randomly generated value which is kept secret.
@@ -30,23 +32,23 @@ If this is not the case for your installation, the mxisd URL will need to be app
 ### mxisd
 Enable in the configuration:
-```
+```yaml
 wordpress.enabled: true
 ```
 Configure the URL to your Wordpress installation - see above about added `/index.php`:
-```
+```yaml
 wordpress.rest.base: 'http://localhost:8080'
 ```
 Configure the SQL connection to your Wordpress database:
-```
+```yaml
 wordpress.sql.connection: '//127.0.0.1/wordpress?user=root&password=example'
 ```
 ---
 By default, MySQL database is expected. If you use another database, use:
-```
+```yaml
-wordpress.sql.type: 'jdbc-scheme'
+wordpress.sql.type: <string>
 ```
 With possible values:
 - `mysql`
--- a/docs/threepids/medium/email/smtp-connector.md
+++ b/docs/threepids/medium/email/smtp-connector.md
@@ -1,19 +1,19 @@
 # Email notifications - SMTP connector
 Enabled by default.
 Connector ID: `smtp`
-Example configuration:
+## Configuration
-```
+```yaml
-threepid:
+threepid.medium.email:
-  medium:
+  identity:
-    email:
+    from: 'identityServerEmail@example.org'
-      identity:
+    name: 'My Identity Server'
-        from: 'identityServerEmail@example.org'
+  connectors:
-        name: 'My Identity Server'
+    smtp:
-      connectors:
+      host: 'smtpHostname'
-        smtp:
+      port: 587
-          host: 'smtpHostname'
+      tls: 1 # 0 = no STARTLS, 1 = try, 2 = force
-          port: 587
+      login: 'smtpLogin'
-          tls: 1 # 0 = no STARTLS, 1 = try, 2 = force
+      password: 'smtpPassword'
          login: 'smtpLogin'
          password: 'smtpPassword'
 ```
--- a/docs/threepids/medium/msisdn/twilio-connector.md
+++ b/docs/threepids/medium/msisdn/twilio-connector.md
@@ -1,15 +1,11 @@
 # SMS notifications - Twilio connector
 Enabled by default.
 Connector ID: `twilio`
-Example configuration:
+## Configuration
-```
+```yaml
-threepid:
+threepid.medium.msisdn.connectors.twilio.accountSid: 'myAccountSid'
-  medium:
+threepid.medium.msisdn.connectors.twilio.authToken: 'myAuthToken'
-    msisdn:
+threepid.medium.msisdn.connectors.twilio.number: '+123456789'
      connectors:
        twilio:
          accountSid: 'myAccountSid'
          authToken: 'myAuthToken'
          number: '+123456789'
 ```
--- a/docs/threepids/notification/basic-handler.md
+++ b/docs/threepids/notification/basic-handler.md
@@ -0,0 +1,37 @@
 # Basic Notification handler
 Basic notification handler which uses two components:
 - Content generator, to produce the notifications
 - Connectors to send the notification content
 This handler can be used with the 3PID types:
 - `email`
 - `msisdn` (Phone numbers)
 ## Generators
 - [Template](template-generator.md)
 ## Connectors
 - Email
  - [SMTP](../medium/email/smtp-connector.md)
 - SMS
  - [Twilio](../medium/msisdn/twilio-connector.md)
 ## Configuration
 Enabled by default or with:
 ```yaml
 notification.handler.email: 'raw'
 ```
 **WARNING:** Will be consolidated soon, prone to breaking changes.  
 Structure and default values:
 ```yaml
 threepid.medium:
  email:
    identity:
      from: ''
      name: ''
    connector: 'smtp'
    generator: 'template'
  msisdn:
    connector: 'twilio'
    generator: 'template'
 ```
--- a/docs/threepids/notifications/sendgrid-handler.md
+++ b/docs/threepids/notifications/sendgrid-handler.md
@@ -2,8 +2,6 @@
 To be completed. See [raw possible configuration items](https://github.com/kamax-io/mxisd/blob/master/src/main/resources/application.yaml#L172).
 Enabled with:
 ```yaml
 notification.handler.email: 'sendgrid'
 ```
 notification:
  handler:
    email: 'sendgrid'
 ```
--- a/docs/threepids/notifications/template-generator.md
+++ b/docs/threepids/notifications/template-generator.md
@@ -10,17 +10,15 @@ placeholders and also have their own individual set of placeholders.
 ## Configuration
 To configure paths to the various templates:
-```
+```yaml
-threepid:
+threepid.medium.<YOUR 3PID MEDIUM HERE>:
-  medium:
+  generators:
-    <YOUR 3PID MEDIUM HERE>:
+    template:
-      generators:
+      invite: '/path/to/invite-template.eml'
-        template:
+      session:
-          invite: '/path/to/invite-template.eml'
+        validation:
-          session:
+          local: '/path/to/validate-local-template.eml'
-            validation:
+          remote: 'path/to/validate-remote-template.eml'
              local: '/path/to/validate-local-template.eml'
              remote: 'path/to/validate-remote-template.eml'
 ```
 The `template` generator is usually the default, so no further configuration is needed.
--- a/docs/threepids/notifications/basic-handler.md
+++ b/docs/threepids/notifications/basic-handler.md
@@ -1,66 +0,0 @@
 # Basic Notification handler
 Basic notification handler which uses two components:
 - Content generator, to produce the notifications
 - Connectors to send the notification content
 This handler can be used with the 3PID types:
 - `email`
 - `msisdn` (Phone numbers)
 ## Generators
 - [Template](template-generator.md)
 ## Connectors
 - Email
  - [SMTP](../medium/email/smtp-connector.md)
 - SMS
  - [Twilio](../medium/msisdn/twilio-connector.md)
 ## Configuration
 Enabled by default or with:
 ```
 notification:
  handler:
    email: 'raw'
 ```
 **WARNING:** Will be consolidated soon, prone to breaking changes.  
 Structure and default values:
 ```
 threepid:
  medium:
    email:
      identity:
        from: ''
        name: ''
      connector: 'smtp'
      generator: 'template'
      connectors:
        smtp:
          host: ''
          port: 587
          tls: 1
          login: ''
          password: ''
      generators:
        template:
          invite: 'classpath:threepids/email/invite-template.eml'
          session:
            validation:
              local: 'classpath:threepids/email/validate-local-template.eml'
              remote: 'classpath:threepids/email/validate-remote-template.eml'
    msisdn:
      connector: 'twilio'
      generator: 'template'
      connectors:
        twilio:
          accountSid: ''
          authToken: ''
          number: ''
      generators:
        template:
          invite: 'classpath:threepids/sms/invite-template.txt'
          session:
            validation:
              local: 'classpath:threepids/sms/validate-local-template.txt'
              remote: 'classpath:threepids/sms/validate-remote-template.txt'
 ```
--- a/docs/threepids/session/session-views.md
+++ b/docs/threepids/session/session-views.md
@@ -1,26 +1,30 @@
-# Web pages for the 3PID session processes
+# Web pages for the 3PID sessions
 You can customize the various pages used during a 3PID validation using [Thymeleaf templates](http://www.thymeleaf.org/).
 ## Configuration
 Pseudo-configuration to illustrate the structure:
 ```yaml
 # CONFIGURATION EXAMPLE
 # DO NOT COPY/PASTE THIS IN YOUR CONFIGURATION
 view.session.local:
  onTokenSubmit:
    success: '/path/to/session/local/tokenSubmitSuccess-page.html'
    failure: '/path/to/session/local/tokenSubmitFailure-page.html'
 view.session.localRemote:
  onTokenSubmit:
    success: '/path/to/session/localRemote/tokenSubmitSuccess-page.html'
    failure: '/path/to/session/local/tokenSubmitFailure-page.html'
 view.session.remote:
  onRequest:
    success: '/path/to/session/remote/requestSuccess-page.html'
    failure: '/path/to/session/remote/requestFailure-page.html'
  onCheck:
    success: '/path/to/session/remote/checkSuccess-page.html'
    failure: '/path/to/session/remote/checkFailure-page.html'
 # CONFIGURATION EXAMPLE
 # DO NOT COPY/PASTE THIS IN YOUR CONFIGURATION
 ```
-view:
+
  session:
    local:
      onTokenSubmit:
        success: '/path/to/session/local/tokenSubmitSuccess-page.html'
        failure: '/path/to/session/local/tokenSubmitFailure-page.html'
    localRemote:
      onTokenSubmit:
        success: '/path/to/session/localRemote/tokenSubmitSuccess-page.html'
        failure: '/path/to/session/local/tokenSubmitFailure-page.html'
    remote:
      onRequest:
        success: '/path/to/session/remote/requestSuccess-page.html'
        failure: '/path/to/session/remote/requestFailure-page.html'
      onCheck:
        success: '/path/to/session/remote/checkSuccess-page.html'
        failure: '/path/to/session/remote/checkFailure-page.html'
 ```
 3PID session are divided into three config sections:
 - `local` for local-only 3PID sessions
 - `localRemote` for local 3PID sessions that can also be turned into remote sessions, if the user so desires
--- a/docs/threepids/session/session.md
+++ b/docs/threepids/session/session.md
@@ -6,7 +6,7 @@
  - [Session scope](#session-scope)
 - [Notifications](#notifications)
  - [Email](#email)
-  - [Phone numbers](#msisdn-phone-numbers)
+  - [Phone numbers](#msisdn-(phone-numbers))
 - [Usage](#usage)
  - [Configuration](#configuration)
  - [Web views](#web-views)
@@ -47,7 +47,7 @@ To ensure lookup works consistency within the current Matrix network, the centra
 used to store *remote* sessions and binds.
 On the flip side, at the time of writing, the Matrix specification and the central Matrix.org servers do not allow to
-remote a 3PID bind. This means that once a 3PID is published (email, phone number, etc.), it cannot be easily remove
+remote a 3PID bind. This means that once a 3PID is published (email, phone number, etc.), it cannot be easily removed
 and would require contacting the Matrix.org administrators for each bind individually.  
 This poses a privacy, control and security concern, especially for groups/corporations that want to keep a tight control
 on where such identifiers can be made publicly visible.
@@ -80,9 +80,8 @@ Sessions can be scoped as:
 **IMPORTANT NOTE:** mxisd does not store bindings directly. While a user can see its email, phone number or any other
 3PID in its settings/profile, it does **NOT** mean it is published anywhere and can be used to invite/search the user.
-Identity backends (LDAP, REST, SQL) are the ones holding such data.  
+Identity stores are the ones holding such data.  
-If you still want added arbitrary 3PIDs to be discoverable on your local server, you will need to link mxisd to your
+If you still want added arbitrary 3PIDs to be discoverable on a synapse Homeserver, use the corresponding [Identity store](../../stores/synapse.md).
 synapse DB to make it an Identity backend.
 See the [Scenarios](#scenarios) for more info on how and why.
@@ -99,93 +98,43 @@ Built-in generators and connectors for supported 3PID types:
 ### Email
 Generators:
- [Template](../threepids/notifications/template-generator.md)
+- [Template](../notification/template-generator.md)
 Connectors:
- [SMTP](../threepids/medium/email/smtp-connector.md)
+- [SMTP](../medium/email/smtp-connector.md)
 #### MSISDN (Phone numbers)
 Generators:
- [Template](../threepids/notifications/template-generator.md)
+- [Template](../notification/template-generator.md)
 Connectors:
- - [Twilio](../threepids/medium/msisdn/twilio-connector.md) with SMS
+ - [Twilio](../medium/msisdn/twilio-connector.md) with SMS
 ## Usage
 ### Configuration
 The following example of configuration (incomplete extract) shows which items are relevant for 3PID sessions.
 **IMPORTANT:** Most configuration items shown have default values and should not be included in your own configuration
-file unless you want to specifically overwrite them.  
+file unless you want to specifically overwrite them.
-Please refer to the full example config file to see which keys are mandatory and to be included in your configuration.
+```yaml
 # CONFIGURATION EXAMPLE
 # DO NOT COPY/PASTE THIS IN YOUR CONFIGURATION
 session.policy.validation.enabled: true
 session.policy.validation.forLocal:
  enabled: true
  toLocal: true
  toRemote:
    enabled: true
    server: 'configExample'  # Not to be included in config! Already present in default config!
 session.policy.validation.forRemote:
  enabled: true
  toLocal: true
  toRemote:
    enabled: true
    server: 'configExample'  # Not to be included in config! Already present in default config!
 # DO NOT COPY/PASTE THIS IN YOUR CONFIGURATION
 # CONFIGURATION EXAMPLE
 ```
 matrix:
  identity:
    servers:
      configExample: # Not to be included in config! Already present in default config!
        - 'https://example.org'
 threepid:
  medium:
    email:
      connector: 'example1' # Not to be included in config! Already present in default config! 
      generator: 'example2' # Not to be included in config! Already present in default config!
      connectors:
        example1:
      generators:
        example1:
          key: "value"
        example2:
          key: "value"
 session:
  policy:
    validation:
      enabled: true
      forLocal:
        enabled: true
        toLocal: true
        toRemote:
          enabled: true
          server: 'configExample'  # Not to be included in config! Already present in default config!
      forRemote:
        enabled: true
        toLocal: false
        toRemote:
          enabled: true
          server: 'configExample'  # Not to be included in config! Already present in default config!
 ```
 `matrix.identity.servers` is the namespace to configure arbitrary list of Identity servers with a label as parent key.  
 In the above example, the list with label `configExample` contains a single server entry pointing to `https://example.org`.  
 **NOTE:** The server list is set to `root` by default and should typically NOT be included in your config.  
 Identity server entry can be of two format:
 - URL, bypassing any kind of domain and port discovery
 - Domain name as `string`, allowing federated discovery to take place.
 The label can be used in other places of the configuration, allowing you to only declare Identity servers once.
 ---
 `threepid.medium.<3PID>` is the namespace to configure 3PID specific items, not directly tied to any other component of
 mxisd.  
 In the above example, only `email` is defined as 3PID type.
 Each 3PID namespace comes with 4 configuration key allowing you to configure generators and connectors for notifications:
 - `connectors` is a configuration namespace to be used for any connector configuration. Child keys represent the unique
 ID for each connector.
 - `generators` is a configuration namespace to be used for any generator configuration. Child keys represent the unique
 ID for each generator.
 - `connector` is given the ID of the connector to be used at runtime.
 - `generator` is given the ID of the generator to be used at runtime.
 In the above example, emails notifications are generated by the `example2` module and sent with the `example1` module.  
 By default, `template` is used as generator and `smtp` as connector.
 ---
 `session.policy.validation` is the core configuration to control what users configured to use your Identity server
 are allowed to do in terms of 3PID sessions.
@@ -196,23 +145,23 @@ It is also divided into two sections: `forLocal` and `forRemote` which refers to
 Each scope is divided into three parts:
 - global on/off switch for 3PID sessions using `.enabled`
 - `toLocal` allowing or not local 3PID session validations
- `toRemote` allowing or not remote 3PID session validations and to which server such sessions should be sent. 
+- `toRemote` allowing or not remote 3PID session validations and to which server such sessions should be sent.   
-`.server` takes a Matrix Identity server list label. Only the first server in the list is currently used.
+  `.server` takes a Matrix Identity server list label. Only the first server in the list is currently used.
 If both `toLocal` and `toRemote` are enabled, the user will be offered to initiate a remote session once their 3PID
 locally validated.
 ### Web views
-Once a user click on a validation link, it is taken to the Identity Server validation page where the token is submited.  
+Once a user click on a validation link, it is taken to the Identity Server validation page where the token is submitted.  
 If the session or token is invalid, an error page is displayed.  
 Workflow pages are also available for the remote 3PID session process.
-See [the dedicated document](3pid-views.md)
+See [the dedicated document](session-views.md)
 on how to configure/customize/brand those pages to your liking.
 ### Scenarios
 It is important to keep in mind that mxisd does not create bindings, irrelevant if a user added a 3PID to their profile.  
-Instead, when queried for bindings, mxisd will query Identity backends which are responsible to store this kind of information.
+Instead, when queried for bindings, mxisd will query Identity stores which are responsible to store this kind of information.
 This has the side effect that any 3PID added to a user profile which is NOT within a configured and enabled Identity backend
 will simply not be usable for search or invites, **even on the same Homeserver!**  
@@ -220,18 +169,17 @@ mxisd does not store binds on purpose, as one of its primary goal is to ensure m
 and the rest of the Matrix ecosystem is preserved.
 Nonetheless, because mxisd also aims at offering support for tight control over identity data, it is possible to have
-such 3PID bindings available for search and invite queries on the local Homeserver by using the `SQL` backend and
+such 3PID bindings available for search and invite queries on synapse with the corresponding [Identity store](../../stores/synapse.md).
 configuring it to use the synapse database. Support for `SQLite` and `PostgreSQL` is available.
 See the [Local sessions only](#local-sessions-only) use case for more information on how to configure.
 #### Default
 By default, mxisd allows the following:
-|  | Local Session | Remote Session |
+|                 | Local Session     | Remote Session |
-|----------------|-------|--------|
+|-----------------|-------------------|----------------|
-| **Local 3PID** | Yes | Yes, offered |
+| **Local 3PID**  | Yes               | Yes, offered   |
-| **Remote 3PID** | No, Remote forced | Yes |
+| **Remote 3PID** | No, Remote forced | Yes            |
 This is usually what people expect and will feel natural to users and does not involve further integration.
@@ -243,8 +191,8 @@ Other e-mail addresses and phone number will be redirected to remote sessions to
 ecosystem and other federated servers.
 #### Local sessions only
-**NOTE:** This does not affect 3PID lookups (queries to find Matrix IDs) which will remain public due to limitation
+**NOTE:** This does not affect 3PID lookups (queries to find Matrix IDs). See [Federation](../../features/federation.md)
-in the Matrix protocol.
+to disable remote lookup for those.
 This configuration ensures maximum confidentiality and privacy.
 Typical use cases:
@@ -256,37 +204,22 @@ No 3PID will be sent to a remote Identity server and all validation will be perf
 On the flip side, people with *Remote* 3PID scopes will not be found from other servers.
 Use the following values:
-```
+```yaml
-session:
+session.policy.validation.enabled: true
-  policy:
+session.policy.validation.forLocal:
-    validation:
+  enabled: true
-      enabled: true
+  toLocal: true
-      forLocal:
+  toRemote:
-        enabled: true
+    enabled: false
-        toLocal: true
+session.policy.validation.forRemote:
-        toRemote:
+  enabled: true
-          enabled: false
+  toLocal: true
-      forRemote:
+  toRemote:
-        enabled: true
+    enabled: false
        toLocal: true
        toRemote:
          enabled: false
 ```
-**IMPORTANT**: When using local-only mode, you will also need to link mxisd to synapse if you want user searches and invites to work.
+**IMPORTANT**: When using local-only mode and if you are using synapse, you will also need to enable its dedicated Identity
-To do so, add/edit the following configuration keys:
+store if you want user searches and invites to work. To do so, see the [dedicated document](../../stores/synapse.md).
 ```
 synapseSql:
  enabled: true
  type: 'SET TO PROPER VALUE'
  connection: 'SET TO PROPER VALUE'
 ```
 - `synapseSql.enabled` set to `true` to activate the SQL backend.
 - `synapseSql.type` can be set to `sqlite` or `postgresql`, depending on your synapse setup.
 - `synapseSql.connection` use a JDBC format which is appened after the `jdbc:type:` connection URI.
 Example values for each type:
  - `sqlite`: `/path/to/homeserver.db`
  - `postgresql`: `//localhost/database?user=synapse&password=synapse`
 #### Remote sessions only
 This configuration ensures all 3PID are made public for maximum compatibility and reach within the Matrix ecosystem, at
@@ -297,31 +230,25 @@ Typical use cases:
 - Homeserver with registration enabled
 Use the following values:
-```
+```yaml
-session:
+session.policy.validation.enabled: true
-  policy:
+session.policy.validation.forLocal:
-    validation:
+  enabled: true
-      enabled: true
+  toLocal: false
-      forLocal:
+  toRemote:
-        enabled: true
+    enabled: true
-        toLocal: false
+session.policy.validation.forRemote:
-        toRemote:
+  enabled: true
-          enabled: true
+  toLocal: false
-      forRemote:
+  toRemote:
-        enabled: true
+    enabled: true
        toLocal: false
        toRemote:
          enabled: true
 ```
 #### Sessions disabled
 This configuration would disable 3PID session altogether, preventing users from adding emails and/or phone numbers to
 their profiles.  
 This would be used if mxisd is also performing authentication for the Homeserver, typically with synapse and the
-[REST Auth module](https://github.com/kamax-io/matrix-synapse-rest-auth).
+[REST password provider](https://github.com/kamax-io/matrix-synapse-rest-auth).
 While this feature is not yet ready in the REST auth module, you would use this configuration mode to auto-populate 3PID
 at user login and prevent any further add.
 **This mode comes with several important restrictions:**
 - This does not prevent users from removing 3PID from their profile. They would be unable to add them back!
@@ -330,9 +257,6 @@ at user login and prevent any further add.
 It is therefore recommended to not fully disable sessions but instead restrict specific set of 3PID and Session scopes.
 Use the following values to enable this mode:
-```
+```yaml
-session:
+session.policy.validation.enabled: false
  policy:
    validation:
      enabled: false
 ```
--- a/src/main/java/io/kamax/mxisd/auth/provider/BackendAuthResult.java
+++ b/src/main/java/io/kamax/mxisd/auth/provider/BackendAuthResult.java
@@ -20,7 +20,7 @@
 package io.kamax.mxisd.auth.provider;
-import io.kamax.matrix._ThreePid;
+import io.kamax.matrix.ThreePid;
 import io.kamax.mxisd.UserID;
 import io.kamax.mxisd.UserIdType;
@@ -32,13 +32,13 @@ public class BackendAuthResult {
    public static class BackendAuthProfile {
        private String displayName;
-        private Set<_ThreePid> threePids = new HashSet<>();
+        private Set<ThreePid> threePids = new HashSet<>();
        public String getDisplayName() {
            return displayName;
        }
-        public Set<_ThreePid> getThreePids() {
+        public Set<ThreePid> getThreePids() {
            return threePids;
        }
    }
@@ -85,7 +85,7 @@ public class BackendAuthResult {
        return profile;
    }
-    public BackendAuthResult withThreePid(_ThreePid threePid) {
+    public BackendAuthResult withThreePid(ThreePid threePid) {
        this.profile.threePids.add(threePid);
        return this;
--- a/src/main/java/io/kamax/mxisd/backend/memory/MemoryIdentityStore.java
+++ b/src/main/java/io/kamax/mxisd/backend/memory/MemoryIdentityStore.java
@@ -163,7 +163,7 @@ public class MemoryIdentityStore implements AuthenticatorProvider, IDirectoryPro
                return BackendAuthResult.failure();
            } else {
                BackendAuthResult result = new BackendAuthResult();
-                id.getThreepids().forEach(result::withThreePid);
+                id.getThreepids().forEach(tpid -> result.withThreePid(new ThreePid(tpid.getMedium(), tpid.getAddress())));
                result.succeed(mxid.getId(), UserIdType.MatrixID.getId(), "");
                return result;
            }
--- a/src/main/java/io/kamax/mxisd/config/ldap/LdapConfig.java
+++ b/src/main/java/io/kamax/mxisd/config/ldap/LdapConfig.java
@@ -359,6 +359,7 @@ public abstract class LdapConfig {
        log.info("Host: {}", connection.getHost());
        log.info("Port: {}", connection.getPort());
        log.info("TLS: {}", connection.isTls());
        log.info("Bind DN: {}", connection.getBindDn());
        log.info("Base DN: {}", connection.getBaseDn());
--- a/src/main/java/io/kamax/mxisd/controller/directory/v1/io/UserDirectorySearchResult.java
+++ b/src/main/java/io/kamax/mxisd/controller/directory/v1/io/UserDirectorySearchResult.java
@@ -20,8 +20,8 @@
 package io.kamax.mxisd.controller.directory.v1.io;
-import java.util.ArrayList;
+import java.util.HashSet;
-import java.util.List;
+import java.util.Set;
 public class UserDirectorySearchResult {
@@ -55,10 +55,31 @@ public class UserDirectorySearchResult {
            this.userId = userId;
        }
        @Override
        public boolean equals(Object o) {
            if (this == o) return true;
            if (o == null || getClass() != o.getClass()) return false;
            Result result = (Result) o;
            if (displayName != null ? !displayName.equals(result.displayName) : result.displayName != null)
                return false;
            if (avatarUrl != null ? !avatarUrl.equals(result.avatarUrl) : result.avatarUrl != null) return false;
            return userId.equals(result.userId);
        }
        @Override
        public int hashCode() {
            int result = displayName != null ? displayName.hashCode() : 0;
            result = 31 * result + (avatarUrl != null ? avatarUrl.hashCode() : 0);
            result = 31 * result + userId.hashCode();
            return result;
        }
    }
    private boolean limited;
-    private List<Result> results = new ArrayList<>();
+    private Set<Result> results = new HashSet<>();
    public boolean isLimited() {
        return limited;
@@ -68,11 +89,11 @@ public class UserDirectorySearchResult {
        this.limited = limited;
    }
-    public List<Result> getResults() {
+    public Set<Result> getResults() {
        return results;
    }
-    public void setResults(List<Result> results) {
+    public void setResults(Set<Result> results) {
        this.results = results;
    }
--- a/src/main/java/io/kamax/mxisd/controller/identity/v1/InvitationController.java
+++ b/src/main/java/io/kamax/mxisd/controller/identity/v1/InvitationController.java
@@ -22,13 +22,13 @@ package io.kamax.mxisd.controller.identity.v1;
 import com.google.gson.Gson;
 import io.kamax.matrix.MatrixID;
 import io.kamax.matrix.crypto.KeyManager;
 import io.kamax.mxisd.config.ServerConfig;
 import io.kamax.mxisd.controller.identity.v1.io.ThreePidInviteReplyIO;
 import io.kamax.mxisd.invitation.IThreePidInvite;
 import io.kamax.mxisd.invitation.IThreePidInviteReply;
 import io.kamax.mxisd.invitation.InvitationManager;
 import io.kamax.mxisd.invitation.ThreePidInvite;
 import io.kamax.mxisd.key.KeyManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
--- a/src/main/java/io/kamax/mxisd/controller/identity/v1/KeyController.java
+++ b/src/main/java/io/kamax/mxisd/controller/identity/v1/KeyController.java
@@ -22,9 +22,9 @@ package io.kamax.mxisd.controller.identity.v1;
 import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 import io.kamax.matrix.crypto.KeyManager;
 import io.kamax.mxisd.controller.identity.v1.io.KeyValidityJson;
 import io.kamax.mxisd.exception.BadRequestException;
 import io.kamax.mxisd.key.KeyManager;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -64,7 +64,7 @@ public class KeyController {
    @RequestMapping(value = "/pubkey/ephemeral/isvalid", method = GET)
    public String checkEphemeralKeyValidity(HttpServletRequest request) {
-        log.warn("Ephemeral key was request but no ephemeral key are generated, replying not valid");
+        log.warn("Ephemeral key was requested but no ephemeral key are generated, replying not valid");
        return invalidKey;
    }
--- a/src/main/java/io/kamax/mxisd/controller/identity/v1/MappingController.java
+++ b/src/main/java/io/kamax/mxisd/controller/identity/v1/MappingController.java
@@ -22,11 +22,14 @@ package io.kamax.mxisd.controller.identity.v1;
 import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 import io.kamax.matrix.crypto.SignatureManager;
 import io.kamax.matrix.event.EventKey;
 import io.kamax.matrix.json.MatrixJson;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.controller.identity.v1.io.SingeLookupReplyJson;
 import io.kamax.mxisd.exception.InternalServerError;
 import io.kamax.mxisd.lookup.*;
 import io.kamax.mxisd.lookup.strategy.LookupStrategy;
 import io.kamax.mxisd.signature.SignatureManager;
 import io.kamax.mxisd.util.GsonParser;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
@@ -57,6 +60,9 @@ public class MappingController {
    private Gson gson = new Gson();
    private GsonParser parser = new GsonParser(gson);
    @Autowired
    private MatrixConfig mxCfg;
    @Autowired
    private LookupStrategy strategy;
@@ -92,16 +98,12 @@ public class MappingController {
        }
        SingleLookupReply lookup = lookupOpt.get();
        if (lookup.isSigned()) {
            log.info("Lookup is already signed, sending as-is");
            return lookup.getBody();
        } else {
            log.info("Lookup is not signed, signing");
            JsonObject obj = gson.toJsonTree(new SingeLookupReplyJson(lookup)).getAsJsonObject();
            obj.add("signatures", signMgr.signMessageGson(gson.toJson(obj)));
-            return gson.toJson(obj);
+        // FIXME signing should be done in the business model, not in the controller
-        }
+        JsonObject obj = gson.toJsonTree(new SingeLookupReplyJson(lookup)).getAsJsonObject();
        obj.add(EventKey.Signatures.get(), signMgr.signMessageGson(MatrixJson.encodeCanonical(obj)));
        return gson.toJson(obj);
    }
    @RequestMapping(value = "/bulk_lookup", method = POST)
--- a/src/main/java/io/kamax/mxisd/controller/identity/v1/io/SingeLookupReplyJson.java
+++ b/src/main/java/io/kamax/mxisd/controller/identity/v1/io/SingeLookupReplyJson.java
@@ -22,9 +22,6 @@ package io.kamax.mxisd.controller.identity.v1.io;
 import io.kamax.mxisd.lookup.SingleLookupReply;
 import java.util.HashMap;
 import java.util.Map;
 public class SingeLookupReplyJson {
    private String address;
@@ -33,7 +30,6 @@ public class SingeLookupReplyJson {
    private long not_after;
    private long not_before;
    private long ts;
    private Map<String, Map<String, String>> signatures = new HashMap<>();
    public SingeLookupReplyJson(SingleLookupReply reply) {
        this.address = reply.getRequest().getThreePid();
@@ -68,8 +64,4 @@ public class SingeLookupReplyJson {
        return ts;
    }
    public boolean isSigned() {
        return signatures != null && !signatures.isEmpty();
    }
 }
--- a/src/main/java/io/kamax/mxisd/invitation/InvitationManager.java
+++ b/src/main/java/io/kamax/mxisd/invitation/InvitationManager.java
@@ -24,6 +24,7 @@ import com.google.gson.Gson;
 import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
 import io.kamax.matrix.MatrixID;
 import io.kamax.matrix.crypto.SignatureManager;
 import io.kamax.mxisd.config.InvitationConfig;
 import io.kamax.mxisd.dns.FederationDnsOverwrite;
 import io.kamax.mxisd.exception.BadRequestException;
@@ -32,7 +33,6 @@ import io.kamax.mxisd.lookup.SingleLookupReply;
 import io.kamax.mxisd.lookup.ThreePidMapping;
 import io.kamax.mxisd.lookup.strategy.LookupStrategy;
 import io.kamax.mxisd.notification.NotificationManager;
 import io.kamax.mxisd.signature.SignatureManager;
 import io.kamax.mxisd.storage.IStorage;
 import io.kamax.mxisd.storage.ormlite.ThreePidInviteIO;
 import org.apache.commons.io.IOUtils;
--- a/src/main/java/io/kamax/mxisd/key/KeyManager.java
+++ b/src/main/java/io/kamax/mxisd/key/KeyManager.java
@@ -1,115 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.key;
 import io.kamax.mxisd.config.KeyConfig;
 import net.i2p.crypto.eddsa.EdDSAEngine;
 import net.i2p.crypto.eddsa.EdDSAPrivateKey;
 import net.i2p.crypto.eddsa.EdDSAPublicKey;
 import net.i2p.crypto.eddsa.KeyPairGenerator;
 import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
 import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
 import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
 import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
 import org.apache.commons.io.FileUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import javax.annotation.PostConstruct;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.KeyPair;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
 import java.util.ArrayList;
 import java.util.Base64;
 import java.util.List;
@Component
 public class KeyManager {
    @Autowired
    private KeyConfig keyCfg;
    private EdDSAParameterSpec keySpecs;
    private EdDSAEngine signEngine;
    private List<KeyPair> keys;
    @PostConstruct
    public void build() {
        try {
            keySpecs = EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.CURVE_ED25519_SHA512);
            signEngine = new EdDSAEngine(MessageDigest.getInstance(keySpecs.getHashAlgorithm()));
            keys = new ArrayList<>();
            Path privKey = Paths.get(keyCfg.getPath());
            if (!Files.exists(privKey)) {
                KeyPair pair = (new KeyPairGenerator()).generateKeyPair();
                String keyEncoded = Base64.getEncoder().encodeToString(pair.getPrivate().getEncoded());
                FileUtils.writeStringToFile(privKey.toFile(), keyEncoded, StandardCharsets.ISO_8859_1);
                keys.add(pair);
            } else {
                if (Files.isDirectory(privKey)) {
                    throw new RuntimeException("Invalid path for private key: " + privKey.toString());
                }
                if (Files.isReadable(privKey)) {
                    byte[] seed = Base64.getDecoder().decode(FileUtils.readFileToString(privKey.toFile(), StandardCharsets.ISO_8859_1));
                    EdDSAPrivateKeySpec privKeySpec = new EdDSAPrivateKeySpec(seed, keySpecs);
                    EdDSAPublicKeySpec pubKeySpec = new EdDSAPublicKeySpec(privKeySpec.getA(), keySpecs);
                    keys.add(new KeyPair(new EdDSAPublicKey(pubKeySpec), new EdDSAPrivateKey(privKeySpec)));
                }
            }
        } catch (NoSuchAlgorithmException | IOException e) {
            throw new RuntimeException(e);
        }
    }
    public int getCurrentIndex() {
        return 0;
    }
    public KeyPair getKeys(int index) {
        return keys.get(index);
    }
    public PrivateKey getPrivateKey(int index) {
        return getKeys(index).getPrivate();
    }
    public EdDSAPublicKey getPublicKey(int index) {
        return (EdDSAPublicKey) getKeys(index).getPublic();
    }
    public EdDSAParameterSpec getSpecs() {
        return keySpecs;
    }
    public String getPublicKeyBase64(int index) {
        return Base64.getEncoder().encodeToString(getPublicKey(index).getAbyte());
    }
 }
--- a/src/main/java/io/kamax/mxisd/lookup/SingleLookupReply.java
+++ b/src/main/java/io/kamax/mxisd/lookup/SingleLookupReply.java
@@ -33,7 +33,6 @@ public class SingleLookupReply {
    private static Gson gson = new Gson();
    private boolean isRecursive;
    private boolean isSigned;
    private String body;
    private SingleLookupRequest request;
    private _MatrixID mxid;
@@ -53,7 +52,6 @@ public class SingleLookupReply {
            reply.notAfter = Instant.ofEpochMilli(json.getNot_after());
            reply.notBefore = Instant.ofEpochMilli(json.getNot_before());
            reply.timestamp = Instant.ofEpochMilli(json.getTs());
            reply.isSigned = json.isSigned();
        } catch (JsonSyntaxException e) {
            // stub - we only want to try, nothing more
        }
@@ -85,10 +83,6 @@ public class SingleLookupReply {
        return isRecursive;
    }
    public boolean isSigned() {
        return isSigned;
    }
    public String getBody() {
        return body;
    }
--- a/src/main/java/io/kamax/mxisd/lookup/provider/ForwarderProvider.java
+++ b/src/main/java/io/kamax/mxisd/lookup/provider/ForwarderProvider.java
@@ -21,6 +21,7 @@
 package io.kamax.mxisd.lookup.provider;
 import io.kamax.mxisd.config.ForwardConfig;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.lookup.SingleLookupReply;
 import io.kamax.mxisd.lookup.SingleLookupRequest;
 import io.kamax.mxisd.lookup.ThreePidMapping;
@@ -42,6 +43,9 @@ class ForwarderProvider implements IThreePidProvider {
    @Autowired
    private ForwardConfig cfg;
    @Autowired
    private MatrixConfig mxCfg;
    @Autowired
    private IRemoteIdentityServerFetcher fetcher;
@@ -62,10 +66,13 @@ class ForwarderProvider implements IThreePidProvider {
    @Override
    public Optional<SingleLookupReply> find(SingleLookupRequest request) {
-        for (String root : cfg.getServers()) {
+        for (String label : cfg.getServers()) {
-            Optional<SingleLookupReply> answer = fetcher.find(root, request);
+            for (String srv : mxCfg.getIdentity().getServers(label)) {
-            if (answer.isPresent()) {
+                log.info("Using forward server {}", srv);
-                return answer;
+                Optional<SingleLookupReply> answer = fetcher.find(srv, request);
                if (answer.isPresent()) {
                    return answer;
                }
            }
        }
@@ -77,13 +84,15 @@ class ForwarderProvider implements IThreePidProvider {
        List<ThreePidMapping> mappingsToDo = new ArrayList<>(mappings);
        List<ThreePidMapping> mappingsFoundGlobal = new ArrayList<>();
-        for (String root : cfg.getServers()) {
+        for (String label : cfg.getServers()) {
-            log.info("{} mappings remaining: {}", mappingsToDo.size(), mappingsToDo);
+            for (String srv : mxCfg.getIdentity().getServers(label)) {
-            log.info("Querying {}", root);
+                log.info("{} mappings remaining: {}", mappingsToDo.size(), mappingsToDo);
-            List<ThreePidMapping> mappingsFound = fetcher.find(root, mappingsToDo);
+                log.info("Querying {}", srv);
-            log.info("{} returned {} mappings", root, mappingsFound.size());
+                List<ThreePidMapping> mappingsFound = fetcher.find(srv, mappingsToDo);
-            mappingsFoundGlobal.addAll(mappingsFound);
+                log.info("{} returned {} mappings", srv, mappingsFound.size());
-            mappingsToDo.removeAll(mappingsFound);
+                mappingsFoundGlobal.addAll(mappingsFound);
                mappingsToDo.removeAll(mappingsFound);
            }
        }
        return mappingsFoundGlobal;
--- a/src/main/java/io/kamax/mxisd/lookup/provider/RemoteIdentityServerFetcher.java
+++ b/src/main/java/io/kamax/mxisd/lookup/provider/RemoteIdentityServerFetcher.java
@@ -23,6 +23,7 @@ package io.kamax.mxisd.lookup.provider;
 import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParseException;
 import io.kamax.matrix.json.GsonUtil;
 import io.kamax.mxisd.controller.identity.v1.ClientBulkLookupRequest;
 import io.kamax.mxisd.exception.InvalidResponseJsonException;
 import io.kamax.mxisd.lookup.SingleLookupReply;
@@ -33,18 +34,20 @@ import io.kamax.mxisd.matrix.IdentityServerUtils;
 import io.kamax.mxisd.util.GsonParser;
 import io.kamax.mxisd.util.RestClientUtils;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.utils.URIBuilder;
 import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
+import org.apache.http.util.EntityUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.context.annotation.Scope;
 import org.springframework.stereotype.Component;
 import java.io.IOException;
-import java.net.HttpURLConnection;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@@ -59,6 +62,9 @@ public class RemoteIdentityServerFetcher implements IRemoteIdentityServerFetcher
    private Gson gson = new Gson();
    private GsonParser parser = new GsonParser(gson);
    @Autowired
    private CloseableHttpClient client;
    @Override
    public boolean isUsable(String remote) {
        return IdentityServerUtils.isUsable(remote);
@@ -69,24 +75,40 @@ public class RemoteIdentityServerFetcher implements IRemoteIdentityServerFetcher
        log.info("Looking up {} 3PID {} using {}", request.getType(), request.getThreePid(), remote);
        try {
-            HttpURLConnection rootSrvConn = (HttpURLConnection) new URL(
+            URIBuilder b = new URIBuilder(remote);
-                    remote + "/_matrix/identity/api/v1/lookup?medium=" + request.getType() + "&address=" + request.getThreePid()
+            b.setPath("/_matrix/identity/api/v1/lookup");
-            ).openConnection();
+            b.addParameter("medium", request.getType());
-            JsonObject obj = parser.parse(rootSrvConn.getInputStream());
+            b.addParameter("address", request.getThreePid());
-            if (obj.has("address")) {
+            HttpGet req = new HttpGet(b.build());
                log.info("Found 3PID mapping: {}", gson.toJson(obj));
-                return Optional.of(SingleLookupReply.fromRecursive(request, gson.toJson(obj)));
+            try (CloseableHttpResponse res = client.execute(req)) {
                int statusCode = res.getStatusLine().getStatusCode();
                String body = EntityUtils.toString(res.getEntity());
                if (statusCode != 200) {
                    log.warn("Remote returned status code {}", statusCode);
                    log.warn("Body: {}", body);
                    return Optional.empty();
                }
                JsonObject obj = GsonUtil.parseObj(body);
                if (obj.has("address")) {
                    log.debug("Found 3PID mapping: {}", gson.toJson(obj));
                    return Optional.of(SingleLookupReply.fromRecursive(request, gson.toJson(obj)));
                }
                log.info("Empty 3PID mapping from {}", remote);
                return Optional.empty();
            }
            log.info("Empty 3PID mapping from {}", remote);
            return Optional.empty();
        } catch (IOException e) {
            log.warn("Error looking up 3PID mapping {}: {}", request.getThreePid(), e.getMessage());
            return Optional.empty();
        } catch (JsonParseException e) {
            log.warn("Invalid JSON answer from {}", remote);
            return Optional.empty();
        } catch (URISyntaxException e) {
            log.warn("Invalid remote address: {}", e.getMessage(), e);
            return Optional.empty();
        }
    }
@@ -98,12 +120,15 @@ public class RemoteIdentityServerFetcher implements IRemoteIdentityServerFetcher
        mappingRequest.setMappings(mappings);
        String url = remote + "/_matrix/identity/api/v1/bulk_lookup";
        CloseableHttpClient client = HttpClients.createDefault();
        try {
            HttpPost request = RestClientUtils.post(url, mappingRequest);
            try (CloseableHttpResponse response = client.execute(request)) {
-                if (response.getStatusLine().getStatusCode() != 200) {
+                int statusCode = response.getStatusLine().getStatusCode();
-                    log.info("Could not perform lookup at {} due to HTTP return code: {}", url, response.getStatusLine().getStatusCode());
+                String body = EntityUtils.toString(response.getEntity());
                if (statusCode != 200) {
                    log.warn("Could not perform lookup at {} due to HTTP return code: {}", url, statusCode);
                    log.warn("Body: {}", body);
                    return mappingsFound;
                }
--- a/src/main/java/io/kamax/mxisd/session/SessionMananger.java
+++ b/src/main/java/io/kamax/mxisd/session/SessionMananger.java
@@ -277,8 +277,7 @@ public class SessionMananger {
        }
        String is = servers.get(0);
-        String url = IdentityServerUtils.findIsUrlForDomain(is)
+        String url = IdentityServerUtils.findIsUrlForDomain(is).orElse(is);
                .orElseThrow(() -> new InternalServerError(is + " could not be resolved to an Identity server"));
        log.info("Will use IS endpoint {}", url);
        String remoteSecret = session.isRemote() ? session.getRemoteSecret() : RandomStringUtils.randomAlphanumeric(16);
--- a/src/main/java/io/kamax/mxisd/signature/SignatureManager.java
+++ b/src/main/java/io/kamax/mxisd/signature/SignatureManager.java
@@ -1,79 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.signature;
 import com.google.gson.JsonObject;
 import io.kamax.mxisd.config.ServerConfig;
 import io.kamax.mxisd.exception.InternalServerError;
 import io.kamax.mxisd.key.KeyManager;
 import net.i2p.crypto.eddsa.EdDSAEngine;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import javax.annotation.PostConstruct;
 import java.security.InvalidKeyException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SignatureException;
 import java.util.Base64;
@Component
 public class SignatureManager {
    @Autowired
    private KeyManager keyMgr;
    @Autowired
    private ServerConfig srvCfg;
    private EdDSAEngine signEngine;
    private String sign(String message) {
        try {
            byte[] signRaw = signEngine.signOneShot(message.getBytes());
            return Base64.getEncoder().encodeToString(signRaw);
        } catch (SignatureException e) {
            throw new InternalServerError(e);
        }
    }
    public JsonObject signMessageGson(String message) {
        String sign = sign(message);
        JsonObject keySignature = new JsonObject();
        keySignature.addProperty("ed25519:" + keyMgr.getCurrentIndex(), sign);
        JsonObject signature = new JsonObject();
        signature.add(srvCfg.getName(), keySignature);
        return signature;
    }
    @PostConstruct
    public void build() {
        try {
            signEngine = new EdDSAEngine(MessageDigest.getInstance(keyMgr.getSpecs().getHashAlgorithm()));
            signEngine.initSign(keyMgr.getPrivateKey(keyMgr.getCurrentIndex()));
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
            throw new RuntimeException(e);
        }
    }
 }
--- a/src/main/java/io/kamax/mxisd/spring/CloseableHttpClientFactory.java
+++ b/src/main/java/io/kamax/mxisd/spring/CloseableHttpClientFactory.java
@@ -30,7 +30,11 @@ public class CloseableHttpClientFactory {
    @Bean
    public CloseableHttpClient getClient() {
-        return HttpClients.custom().setUserAgent("mxisd").build();
+        return HttpClients.custom()
                .setUserAgent("mxisd")
                .setMaxConnPerRoute(Integer.MAX_VALUE)
                .setMaxConnTotal(Integer.MAX_VALUE)
                .build();
    }
 }
--- a/src/main/java/io/kamax/mxisd/spring/CryptoFactory.java
+++ b/src/main/java/io/kamax/mxisd/spring/CryptoFactory.java
@@ -0,0 +1,57 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.spring;
 import io.kamax.matrix.crypto.KeyFileStore;
 import io.kamax.matrix.crypto.KeyManager;
 import io.kamax.matrix.crypto.SignatureManager;
 import io.kamax.mxisd.config.KeyConfig;
 import io.kamax.mxisd.config.ServerConfig;
 import org.apache.commons.io.FileUtils;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import java.io.File;
 import java.io.IOException;
@Configuration
 public class CryptoFactory {
    @Bean
    public KeyManager getKeyManager(KeyConfig keyCfg) {
        File keyStore = new File(keyCfg.getPath());
        if (!keyStore.exists()) {
            try {
                FileUtils.touch(keyStore);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
        return new KeyManager(new KeyFileStore(keyCfg.getPath()));
    }
    @Bean
    public SignatureManager getSignatureManager(KeyManager keyMgr, ServerConfig cfg) {
        return new SignatureManager(keyMgr, cfg.getName());
    }
 }
--- a/src/main/resources/application.yaml
+++ b/src/main/resources/application.yaml
@@ -24,7 +24,7 @@ matrix:
  domain: ''
  identity:
    servers:
-      root:
+      matrix-org:
        - 'https://matrix.org'
 lookup:
@@ -174,9 +174,7 @@ wordpress:
        threepid: 'SELECT DISTINCT user_login, display_name FROM wp_users WHERE user_email LIKE ?'
 forward:
-  servers:
+  servers: []
    - 'https://matrix.org'
    - 'https://vector.im'
 threepid:
  medium:
@@ -226,13 +224,13 @@ session:
        toLocal: true
        toRemote:
          enabled: true
-          server: 'root'
+          server: 'matrix-org'
      forRemote:
        enabled: true
        toLocal: false
        toRemote:
          enabled: true
-          server: 'root'
+          server: 'matrix-org'
 notification:
 #  handler:
--- a/src/test/java/io/kamax/mxisd/backend/rest/RestDirectoryProviderTest.java
+++ b/src/test/java/io/kamax/mxisd/backend/rest/RestDirectoryProviderTest.java
@@ -33,8 +33,7 @@ import org.junit.Test;
 import java.nio.charset.StandardCharsets;
 import static com.github.tomakehurst.wiremock.client.WireMock.*;
-import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.*;
 import static org.junit.Assert.assertTrue;
 public class RestDirectoryProviderTest {
@@ -89,8 +88,8 @@ public class RestDirectoryProviderTest {
        UserDirectorySearchResult result = p.searchByDisplayName(byNameSearch);
        assertTrue(!result.isLimited());
-        assertTrue(result.getResults().size() == 1);
+        assertEquals(1, result.getResults().size());
-        UserDirectorySearchResult.Result entry = result.getResults().get(0);
+        UserDirectorySearchResult.Result entry = result.getResults().iterator().next();
        assertNotNull(entry);
        assertTrue(StringUtils.equals(byNameAvatar, entry.getAvatarUrl()));
        assertTrue(StringUtils.equals(byNameDisplay, entry.getDisplayName()));
@@ -132,8 +131,8 @@ public class RestDirectoryProviderTest {
        UserDirectorySearchResult result = p.searchBy3pid(byThreepidSearch);
        assertTrue(!result.isLimited());
-        assertTrue(result.getResults().size() == 1);
+        assertEquals(1, result.getResults().size());
-        UserDirectorySearchResult.Result entry = result.getResults().get(0);
+        UserDirectorySearchResult.Result entry = result.getResults().iterator().next();
        assertNotNull(entry);
        assertTrue(StringUtils.equals(byThreepidAvatar, entry.getAvatarUrl()));
        assertTrue(StringUtils.equals(byThreepidDisplay, entry.getDisplayName()));
Author	SHA1	Message	Date
Max Dor	f55d5fbc80	Make central IS opt-in (#80 )	2018-05-31 13:24:00 +02:00
Max Dor	b613415dc4	Fix doc layout (cosmetic)	2018-05-18 01:47:43 +02:00
Max Dor	0549d23d21	Add LDAP TLS config value in logs	2018-05-16 15:42:24 +02:00
Max Dor	b493ccd479	De-duplicate results from Identity stores in Directory searches	2018-04-26 01:45:04 +02:00
Max Dor	03e72ba155	Use the correct domain (server name) for signatures	2018-04-22 19:27:52 +02:00
Max Dor	32a3444a9e	Document the correct property for SQL usernames	2018-04-22 00:39:18 +02:00
Max Dor	78a25c21ba	Code maintenance - Switch to HttpClient for remote fetcher - Don't fail for remote binding on matrix.org	2018-04-13 08:14:09 +02:00
Max Dor	ef80f4aa30	Documentation enhancements (#73 )	2018-04-13 03:26:33 +02:00
Max Dor	1e413af019	Fix crypto A recent change in synapse shown that the various classes handling crypto were broken. All the crypto code has been refactored in the SDK and the local code has been adapted.	2018-04-11 23:37:33 +02:00
Max Dor	a0f8af820e	Fix minor regression with Auth feature and REST/Memory backend See https://matrix.to/#/!NPRUEisLjcaMtHIzDr:kamax.io/$1523216730848820dFUZX:matrix.org	2018-04-08 22:05:36 +02:00