OIDC: Make authorization request

[kerryarchibald]

3.1.1. Authorization Code Flow Steps
The Authorization Code Flow goes through the following steps.

1. Client prepares an Authentication Request containing the desired request parameters.
2. Client sends the request to the Authorization Server.
3. Authorization Server Authenticates the End-User.
4. Authorization Server obtains End-User Consent/Authorization.
5. Authorization Server sends the End-User back to the Client with an Authorization Code.
6. Client requests a response using the Authorization Code at the Token Endpoint.
7. Client receives a response that contains an ID Token and Access Token in the response body.
8. Client validates the ID token and retrieves the End-User's Subject Identifier.

https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

This task addresses steps 1-5

There are three scopes that you need to request access to:

• openid - standard OIDC scope
• urn:matrix:org.matrix.msc2967.client:api:* - gives full access to Client Server API. See MSC2967: API scopes for details of future scopes
• urn:matrix:org.matrix.msc2967.client:device:<generated device ID> - e.g. urn:matrix:org.matrix.msc2967.client:device:ABCDEFGHIJKL

So, a complete scope would be:

openid urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:ABCDEFGHIJKL

Resources

• Client implementation guide
• synapse-admin implementation
• hydrogen implementation

AC

• When oidcNativeFlow is supported at Login, a single 'continue' button is rendered (like oidc-aware flow)
• On clicking the continue button, a request to the configured authorization endpoint is made