Single Sign-On via OIDC/OAuth2 (attempt #2)

Review changes
Download
Patches
Plain diff

avdb requested to merge avdb13/conduit:sso-oidc into next May 12, 2024

Overview 20
Commits 21
Pipelines 15
Changes 44

Continuation of !80 (closed) and !587 (closed).

The goal of this MR is unrelated to the implementation of MSC3861 (the delegation of authentication via OIDC), although this would still benefit the implementation of the former proposal by incorporating the authentication protocol. This MR merely aims at allowing login through m.login.sso, dropping the requirement of a password during registration.

Requirements

Extending validators in mas-oidc-client to be more flexible
Do not require UIA when first uploading cross signing keys
Email verification as a registration requirement

TODOs

core

Document related configuration (draft)
OIDC-compliant provider support
OAuth2 provider support (draft, Github tested successfully)
Configurable unique claim
/_matrix/client/v3/auth/<auth_type>/fallback/web endpoint
UIA API integration

nice-to-have

RP-initiated backchannel logout
ClientSecretJwt/PrivateKeyJwt client credentials (required for Apple)
Migrate existing accounts while providing their password as a fallback
Pushed authorization requests
Device authorization flow for QR code login

I ran cargo fmt and cargo test
I agree to release my code and all other changes of this MR under the Apache-2.0 license

Closes #134

Edited Jun 12, 2024 by Matthias Ahouansou

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking