BREAKING: implement Native OIDC as per MSC 3861

[TheOneWithTheBraid]

BREAKING: changes to the database API to better reflect the OIDC state

This implementation is based on the draft of native OIDC I implemented in < polycule >. It can be found here. Unlike in my initial draft, this implementation of course does not rely on any Flutter package but ships a minimal OIDC state machine relying on the matrix client to provide the native callback result via a Completer.

This implementation does not aim to comply to the full OIDC standard but only the subset required as per the MSCs stated below.

This PR does not aim to implement OIDC device flow as per MSC 4108 nor the changes for the application services as per MSC 4190.

Roadmap:

• initial viable implementation
• migrate the < polycule > implementation to this OIDC stack
• excessive testing
• figure out a test concept

Implements:

• MSC 3861 - Next-generation auth for Matrix, based on OAuth 2.0/OIDC
  • MSC 1597 - Better spec for matrix identifiers
  • MSC 2964 - Usage of OAuth 2.0 authorization code grant and refresh token grant
  • MSC 2965 - OAuth 2.0 Authorization Server Metadata discovery
  • MSC 2966 - Usage of OAuth 2.0 Dynamic Client Registration in Matrix
  • MSC 2967 - API scopes
  • MSC 3824 - OIDC aware clients
  • MSC 4108 - Mechanism to allow OIDC sign in and E2EE set up via QR code - not planned for this PR
  • MSC 4190 - Device management for application services - not planned for this PR
  • MSC 4191 - Account management deep-linking

[TheOneWithTheBraid]

A comment on the changes to the database API:

I initially intended to just keep all OIDC-related state (device ID, OAuth2.0 client ID, auth metadata) in memory until the OIDC flow completes. I sadly figured out the Dart process might get killed by the platform for battery optimization. In order to complete the flow after the main process was killed, I decided to store the OAuth2 client ID and the homeserver's auth metadata in the database as well as to split the device ID from the remaining client store since now the device ID is present a long time before the rest of the account is available.

Even though I so far already implemented the database API changes with this in mind, there is no way to resume an OIDC flow from a new thread yet.

[TheOneWithTheBraid]

Outdated review hint

Review notice: So far, the default behavior of the updated Client.getWellknown is to only check the brand new /auth_metadata endpoint. This might require Synapse nightly builds to work. Client developers however are free to use the previous revision of the MSC suggesting to use the /auth_issuer endpoint or the .well-known entry containing the org.matrix.msc2965.authentication field. All three possible implementations are supported in this PR. Since the default is definitely going to be the new /auth_metadata, the implementation already suggests this at this point.

EDIT: I adjusted the behavior of Client.getWellknown to cope with all three permitted approaches of OIDC discovery. The implementation will therefore work with both stable Synapse releases as well as cutting edge Synapse builds already using the newest approach.

You can now easily use e.g. synapse-oidc.element.dev for testing.

[TheOneWithTheBraid]

The < polycule > side implementation is now merged and works like a charm. Maybe that's helpful for testing this PR in real world: https://gitlab.com/polycule_client/polycule/-/merge_requests/245

[TheOneWithTheBraid]

Since I unaskedly opened this PR, I'd kindly offer to take care of the OIDC code's maintenance in future too. You folks all have my MXID and can always poke me if there are future issues about the OIDC code.

[TheOneWithTheBraid]

Clients might require the following workaround for #2027 : #2027 (comment)

[krille-chan]

Is this related?

[TheOneWithTheBraid]

Yes, the token rotation might otherwise happen during the requests as mentioned in the comment in the line above.

[krille-chan]

I don't get it. Can you please explain?

[TheOneWithTheBraid]

Is there any update on review of this PR ? It's now been months and months of waiting and I still did not even get a response on whether you are actually willing to ever accept this contribution. Instead only vaguely related comments.

[TheOneWithTheBraid]

Yes, the token rotation might otherwise happen during the requests as mentioned in the comment in the line above.

[td-famedly]

helo :3 sorry for the delay. I will now start reading the msc(s) and try to get back to this asap!

(still expecting a marklin set on my bday!)

edit:

It's now been months and months of waiting and I still did not even get a response on whether you are actually willing to ever accept this contribution. Instead only vaguely related comments.

Sorry for the delay, everyone internally has been super busy with "work". I have not heard anything about not accepting this contribution so I will review it with the end goal of getting it merged asap! Again thank you very much for the contribution and sorry for the delay!

[td-famedly]

very draft review, will try to go through the whole flow and look at the client implementation after this

[td-famedly]

would it be possible to add tests for this?

[td-famedly]

only a little bit concerned that this is a draft msc

[TheOneWithTheBraid]

Yeah, it's a draft but a) it doesn't break anything and b) it's so much of a simple MSC, I don't see much regression in it - even if we should happen to adjust the behavior later in time.

[krille-chan]

The method name says nothing about what it does? No idea what this is flow. Please switch this to a proper name with dart docs

[krille-chan]

I'm still not happy with this method name. A flow is a thing, not an action but a method is an action so it would better to be more intuitive to use a verb here like: loginWithOidcAuthGrantFlow()

[TheOneWithTheBraid]

It's not called oidcLoginAuthorizationGrantFlow. All methods related to OIDC use this prefix and I'd avoid having a gap word such as with in a method name.

[TheOneWithTheBraid]

Maybe the major confusion comes from the work login : Using OIDC you do not "log in" using the matrix dart SDK but you login to your browser and use a token to authenticate. This process is simply not a login. That's why I prefer the technically accurate term oidcAuthorizationGrantFlow.

[krille-chan]

Looks quite good so far, though I'm not that into the MSCs of Matrix. Will test out if it works with oidc login on FluffyChat soon...

[krille-chan]

Can you add an example how to actually use this?

[krille-chan]

If oidc is already part of the method name and there is no other clientId we can IMO just name this clientId. afaik other APIs using OIDC treat it the same

[TheOneWithTheBraid]

Sure, renamed !

[TheOneWithTheBraid]

Sure, renamed !

[krille-chan]

This now contains 22 commits. Can you clean up the commit history please?

[krille-chan]

I'm not sure if this is the right approach to create methods for every single thing we store in the Client Database. This is now already messed up as we use getClient and updateClient to update single fields but now for other single fields we have methods. What about just adding one generic method getClientData(ClientData key) and putClientData(ClientData key, value) where ClientData is an enum of all possible fields

[TheOneWithTheBraid]

I migrated the String based key-value access on the client box contents to your proposed enum-based approach. I'd suggest to further extend this to a type safe approach including the values of the box but this is way beyond the scope of this OIDC-related PR.

[TheOneWithTheBraid]

This now contains 22 commits. Can you clean up the commit history please?

You can squash the commits as soon as you want to merge this PR. It does not make sense to rewrite the commit history before review is done. Squashing the commits is a task for the person merging this PR at the end.

[krille-chan]

Seeing this I've no idea how to use it with for example flutter_web_auth(2) package. In the end I get a URL I need to open where I pass a redirect_uri and receive a token back, right? How is this done here?

Is a Completer really the best choice? Would it be possible to use a callback instead? Something like String Function(Uri uri) onAuth which we then set like this:

await client.oidcAuthorizationGrantFlow(
  // ...
  onAuth: (Uri uri) async {
    final token = await FlutterWebAuth2.authenticate(uri);
    return token;
  }
);

Another question: In browser apps it might be desired to open it in the same tab which in a flutter context would mean that the app unloads and then starts again. So we need to store information somewhere and continue with the received token later. Is this also possible here?

[krille-chan]

This now contains 22 commits. Can you clean up the commit history please?

You can squash the commits as soon as you want to merge this PR. It does not make sense to rewrite the commit history before review is done. Squashing the commits is a task for the person merging this PR at the end.

Not sure. A commit message should always explain all changes and why. Just a squashed feat: Implement OIDC wouldn't explain the changes in the database for example. Having this split up into multiple commits which can be reviewed one after another would be preferred. Something like:

• refactor: Use typed enums for database client access
• Implement MSC1, MSC2, MSC3
• Implement MSC4, MSC5

and so on. Preferrable with commit messages which explain a little bit more.

[krille-chan]

I'm not yet familiar with the OIDC MSCs in Matrix so this would need a review from someone else