Feature: Single Sign-On through OIDC/OAuth2

Review changes
Download
Patches
Plain diff

avdb requested to merge avdb13/conduit:oidc into next Feb 22, 2024

Overview 37
Commits 18
Pipelines 8
Changes 36

The goal of this MR is unrelated to the implementation of MSC3861 (the delegation of authentication via OIDC), although this would still benefit the implementation of the former proposal by incorporating the authentication protocol. This MR merely aims at allowing login through m.login.sso, dropping the requirement of a password during registration.

TODOs

extend the configuration with relevant options
attempt to also support for OAuth2 providers like Github and Facebook
allow OIDC Discovery in place of specifying each endpoint manually
implement fallback pages for user interaction requirements
UIA support
allow multiple identity providers per account
properly test all identity providers supported by Synapse
provide backchannel logout
custom claims support
allow complete or partial migration of existing accounts
configurable attribute boundaries (not sure why Synapse supports this)

Some of the above goals were features requested by other users/contributors and this functionality is not necessarily part of any specification.

I ran cargo fmt and cargo test
I agree to release my code and all other changes of this MR under the Apache-2.0 license

Edited Apr 21, 2024 by avdb

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking