Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: Determine homeserver is OIDC enabled #25466

Closed
Tracked by #25392
kerryarchibald opened this issue May 29, 2023 · 1 comment
Closed
Tracked by #25392

OIDC: Determine homeserver is OIDC enabled #25466

kerryarchibald opened this issue May 29, 2023 · 1 comment
Assignees
@kerryarchibald
Labels
A-Authentication T-Enhancement Z-Labs

Comments

@kerryarchibald
Copy link
Contributor

kerryarchibald commented May 29, 2023
edited
Loading

image
Client implementation guide

Is homeserver OIDC enabled?

OIDC-aware Element Web examines the list of available login flows (see Login.ts) and if we find a OIDC one masquerading as an SSO flow, we only display that.

For native OIDC we will use the homeserver .well-known to determine OIDC support. When client .well-known includes a valid m.authentication section MSC2965 consider OIDC enabled.

This implementation will rely on .well-known to determine OIDC support. Not all Matrix servers have the well-known client discovery mechanism setup, so will be unable to discover the auth server. If a user enters a matrix server url instead of a server name, we will be unable to discover the auth server.
Alternative methods of auth server discovery might be addressed later.

AC:

  • validate m.authentication section from client .well-known in buildValidatedConfigFromDiscovery
  • when a valid m.authentication config is found, fetch .well-known/openid-configuration from the configured issuer
  • validate the issuer configuration is valid for our use case. See hydrogen implementation
    Required properties are:
    • authorization_endpoint
    • token_endpoint
    • registration_endpoint
    • response_types_supported includes code
    • response_modes_supported includes fragment
    • grant_types_supported includes authorization_code
    • code_challenge_methods_supported includes S256

See https://github.com/sandhose/matrix-doc/blob/msc/sandhose/oauth2-profile/proposals/2964-oauth2-profile.md#native-and-browser-based-clients
@kerryarchibald kerryarchibald mentioned this issue May 29, 2023
Closed
@kerryarchibald kerryarchibald self-assigned this May 29, 2023
@kerryarchibald kerryarchibald changed the title OIDC: Discover OP OIDC: Discover OIDC OP May 29, 2023
@kerryarchibald kerryarchibald changed the title OIDC: Discover OIDC OP OIDC: Discover OP May 29, 2023
@kerryarchibald kerryarchibald changed the title OIDC: Discover OP OIDC: Determine homeserver is OIDC enabled May 29, 2023
This was referenced May 29, 2023
Merged
Closed
@kerryarchibald
Copy link
Contributor Author

Closed by matrix-org/matrix-js-sdk#3419

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kerryarchibald kerryarchibald

Labels
A-Authentication T-Enhancement Z-Labs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kerryarchibald