Single Sign-On via OIDC/OAuth2 (attempt #2)
Continuation of !80 (closed) and !587 (closed).
The goal of this MR is unrelated to the implementation of MSC3861 (the delegation of authentication via OIDC), although this would still benefit the implementation of the former proposal by incorporating the authentication protocol. This MR merely aims at allowing login through m.login.sso
, dropping the requirement of a password during registration.
Requirements
-
Extending validators in mas-oidc-client
to be more flexible -
Do not require UIA when first uploading cross signing keys -
Email verification as a registration requirement
TODOs
core
-
Document related configuration (draft) -
OIDC-compliant provider support -
OAuth2 provider support (draft, Github tested successfully) -
Configurable unique claim -
/_matrix/client/v3/auth/<auth_type>/fallback/web
endpoint -
UIA API integration
nice-to-have
-
RP-initiated backchannel logout -
ClientSecretJwt
/PrivateKeyJwt
client credentials (required for Apple) -
Migrate existing accounts while providing their password as a fallback -
Pushed authorization requests -
Device authorization flow for QR code login
-
I ran cargo fmt
andcargo test
-
I agree to release my code and all other changes of this MR under the Apache-2.0 license
Closes #134
Edited by Matthias Ahouansou