feat: implement OIDC server for next-gen auth (MSC2965/2964/2966/2967)

Implements a built-in OIDC authorization server that allows Matrix clients
like Element X to authenticate via the next-gen auth flow (MSC2964). User
authentication is delegated to upstream identity providers (e.g. Kanidm)
through the existing SSO/OAuth client flow.

Endpoints:
- auth_issuer + auth_metadata discovery (stable v1 + unstable MSC2965)
- OpenID Connect discovery (/.well-known/openid-configuration)
- Dynamic Client Registration (MSC2966)
- Authorization + token + revocation + JWKS + userinfo
- SSO bridge: authorize → SSO redirect → complete → code → token

Features:
- ES256 (P-256) JWT signing with persistent key material
- PKCE (S256) support
- Authorization code grant with refresh tokens
- All OIDC state persisted in RocksDB (signing keys, client registrations,
  auth codes, pending auth requests)
- Device ID extraction from MSC2967 scopes
- Fixes sso_default_provider_id config handling (was previously unused)

Refs: #246, #266

Author: dasha-uwu

Cargo.lock

@@ -27,7 +27,9 @@ impl Context<'_> {
 	}
 
 	#[inline]
-	pub(crate) async fn write_string(&self, s: String) -> Result { self.write_str(&s).await }
+	pub(crate) async fn write_string(&self, s: String) -> Result {
+		self.write_str(&s).await
+	}
 
 	pub(crate) fn write_str<'a>(
 		&'a self,

src/admin/context.rs

@@ -243,9 +243,10 @@ pub(super) async fn get_remote_pdu(
 	match self
 		.services
 		.federation
-		.execute(&server, ruma::api::federation::event::get_event::v1::Request {
-			event_id: event_id.clone(),
-		})
+		.execute(
+			&server,
+			ruma::api::federation::event::get_event::v1::Request { event_id: event_id.clone() },
+		)
 		.await
 	{
 		| Err(e) => {
@@ -579,10 +580,13 @@ pub(super) async fn force_set_room_state_from_server(
 	let remote_state_response = self
 		.services
 		.federation
-		.execute(&server_name, get_room_state::v1::Request {
-			room_id: room_id.clone(),
-			event_id: first_pdu.event_id().to_owned(),
-		})
+		.execute(
+			&server_name,
+			get_room_state::v1::Request {
+				room_id: room_id.clone(),
+				event_id: first_pdu.event_id().to_owned(),
+			},
+		)
 		.await?;
 
 	for pdu in remote_state_response.pdus.clone() {

src/admin/debug/commands.rs

@@ -36,7 +36,9 @@ use tuwunel_service::{
 use crate::{admin, admin::AdminCommand, context::Context};
 
 #[must_use]
-pub(super) fn complete(line: &str) -> String { complete_command(AdminCommand::command(), line) }
+pub(super) fn complete(line: &str) -> String {
+	complete_command(AdminCommand::command(), line)
+}
 
 #[must_use]
 pub(super) fn dispatch(services: Arc<Services>, command: CommandInput) -> ProcessorFuture {
@@ -78,8 +80,9 @@ async fn process_command(services: Arc<Services>, input: &CommandInput) -> Proce
 		String::from_utf8(take(output.get_mut())).expect("invalid utf8 in command output stream");
 
 	match result {
-		| Ok(()) if logs.is_empty() =>
-			Ok(Some(reply(RoomMessageEventContent::notice_markdown(output), context.reply_id))),
+		| Ok(()) if logs.is_empty() => {
+			Ok(Some(reply(RoomMessageEventContent::notice_markdown(output), context.reply_id)))
+		},
 
 		| Ok(()) => {
 			logs.write_str(output.as_str())
@@ -99,8 +102,7 @@ async fn process_command(services: Arc<Services>, input: &CommandInput) -> Proce
 }
 
 fn handle_panic(error: &Error, command: &CommandInput) -> ProcessorResult {
-	let link =
-		"Please submit a [bug report](https://github.com/matrix-construct/tuwunel/issues/new). \
+	let link = "Please submit a [bug report](https://github.com/matrix-construct/tuwunel/issues/new). \
 		 🥺";
 	let msg = format!("Panic occurred while processing command:\n```\n{error:#?}\n```\n{link}");
 	let content = RoomMessageEventContent::notice_markdown(msg);

src/admin/processor.rs

@@ -1,3 +1,5 @@
+#![allow(clippy::semicolon_if_nothing_returned)]
+
 use clap::Subcommand;
 use futures::{StreamExt, TryStreamExt};
 use ruma::OwnedUserId;
@@ -261,11 +263,12 @@ pub(super) async fn oauth_revoke(&self, id: SessionOrUserId) -> Result {
 				.await
 				.ok();
 		},
-		| Right(user_id) =>
+		| Right(user_id) => {
 			self.services
 				.oauth
 				.revoke_user_tokens(&user_id)
-				.await,
+				.await
+		},
 	}
 
 	self.write_str("revoked").await

src/admin/query/oauth.rs

@@ -256,18 +256,20 @@ pub(super) async fn raw_keys(
 	let timer = Instant::now();
 
 	let stream = match from.as_ref().or(prefix.as_ref()) {
-		| Some(from) =>
+		| Some(from) => {
 			if !backwards {
 				map.raw_keys_from(from).boxed()
 			} else {
 				map.rev_raw_keys_from(from).boxed()
-			},
-		| None =>
+			}
+		},
+		| None => {
 			if !backwards {
 				map.raw_keys().boxed()
 			} else {
 				map.rev_raw_keys().boxed()
-			},
+			}
+		},
 	};
 
 	let prefix = prefix.as_ref().map(String::as_bytes);
@@ -393,18 +395,20 @@ pub(super) async fn raw_iter(
 	let map = self.services.db.get(&map)?;
 	let timer = Instant::now();
 	let stream = match from.as_ref().or(prefix.as_ref()) {
-		| Some(from) =>
+		| Some(from) => {
 			if !backwards {
 				map.raw_stream_from(from).boxed()
 			} else {
 				map.rev_raw_stream_from(from).boxed()
-			},
-		| None =>
+			}
+		},
+		| None => {
 			if !backwards {
 				map.raw_stream().boxed()
 			} else {
 				map.rev_raw_stream().boxed()
-			},
+			}
+		},
 	};
 
 	let prefix = prefix.as_ref().map(String::as_bytes);

src/admin/query/raw.rs

@@ -73,12 +73,13 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 								.set_alias(&room_alias, &room_id, server_user)
 							{
 								| Err(err) => Err!("Failed to remove alias: {err}"),
-								| Ok(()) =>
+								| Ok(()) => {
 									context
 										.write_str(&format!(
 											"Successfully overwrote alias (formerly {id})"
 										))
-										.await,
+										.await
+								},
 							}
 						},
 						| (false, Ok(id)) => Err!(
@@ -109,10 +110,11 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 							.await
 						{
 							| Err(err) => Err!("Failed to remove alias: {err}"),
-							| Ok(()) =>
+							| Ok(()) => {
 								context
 									.write_str(&format!("Removed alias from {id}"))
-									.await,
+									.await
+							},
 						},
 					}
 				},
@@ -123,16 +125,17 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 						.await
 					{
 						| Err(_) => Err!("Alias isn't in use."),
-						| Ok(id) =>
+						| Ok(id) => {
 							context
 								.write_str(&format!("Alias resolves to {id}"))
-								.await,
+								.await
+						},
 					}
 				},
 				| RoomAliasCommand::List { .. } => unreachable!(),
 			}
 		},
-		| RoomAliasCommand::List { room_id } =>
+		| RoomAliasCommand::List { room_id } => {
 			if let Some(room_id) = room_id {
 				let aliases: Vec<OwnedRoomAliasId> = services
 					.alias
@@ -170,6 +173,7 @@ pub(super) async fn process(command: RoomAliasCommand, context: &Context<'_>) ->
 
 				let plain = format!("Aliases:\n{plain_list}");
 				context.write_str(&plain).await
-			},
+			}
+		},
 	}
 }

src/admin/room/alias.rs

@@ -1,13 +1,19 @@
 #![cfg(test)]
 
 #[test]
-fn get_help_short() { get_help_inner("-h"); }
+fn get_help_short() {
+	get_help_inner("-h");
+}
 
 #[test]
-fn get_help_long() { get_help_inner("--help"); }
+fn get_help_long() {
+	get_help_inner("--help");
+}
 
 #[test]
-fn get_help_subcommand() { get_help_inner("help"); }
+fn get_help_subcommand() {
+	get_help_inner("help");
+}
 
 fn get_help_inner(input: &str) {
 	use clap::Parser;

src/admin/tests.rs

@@ -38,9 +38,12 @@ pub(crate) async fn appservice_ping(
 
 	let _response = services
 		.appservice
-		.send_request(appservice_info.registration.clone(), ping::send_ping::v1::Request {
-			transaction_id: body.transaction_id.clone(),
-		})
+		.send_request(
+			appservice_info.registration.clone(),
+			ping::send_ping::v1::Request {
+				transaction_id: body.transaction_id.clone(),
+			},
+		)
 		.await?
 		.expect("We already validated if an appservice URL exists above");
 

src/api/client/appservice.rs

@@ -371,8 +371,9 @@ async fn user_can_publish_room(
 		.get_power_levels(room_id)
 		.await
 	{
-		| Ok(power_levels) =>
-			Ok(power_levels.user_can_send_state(user_id, StateEventType::RoomHistoryVisibility)),
+		| Ok(power_levels) => {
+			Ok(power_levels.user_can_send_state(user_id, StateEventType::RoomHistoryVisibility))
+		},
 		| _ => {
 			match services
 				.state_accessor