feat: implement OIDC server for next-gen auth (MSC2965/2964/2966/2967)#342
Draft
lytedev wants to merge 2 commits intomatrix-construct:mainfrom
Draft
feat: implement OIDC server for next-gen auth (MSC2965/2964/2966/2967)#342lytedev wants to merge 2 commits intomatrix-construct:mainfrom
lytedev wants to merge 2 commits intomatrix-construct:mainfrom
Conversation
|
There is https://github.com/element-hq/matrix-authentication-service/tree/main/crates/cli which start MAS |
Closed
Author
Looks like that code is under an incompatible software license. I'm a big AGPL fan, but we can't use it here as far as I'm aware =( |
lytedev
force-pushed
the
oidc-server
branch
2 times, most recently
from
7b49e20 to
1807530
Compare
Implements a built-in OIDC authorization server that allows Matrix clients
like Element X to authenticate via OIDC, delegating user authentication
to upstream identity providers (e.g. Kanidm) through the existing SSO flow.
## Endpoints
- GET /_matrix/client/unstable/org.matrix.msc2965/auth_issuer
- GET /.well-known/openid-configuration
- POST /_tuwunel/oidc/registration (Dynamic Client Registration)
- GET /_tuwunel/oidc/authorize → SSO redirect → _complete bridge
- POST /_tuwunel/oidc/token (auth code exchange + refresh)
- POST /_tuwunel/oidc/revoke
- GET /_tuwunel/oidc/jwks
- GET /_tuwunel/oidc/userinfo
- GET /_tuwunel/oidc/account (placeholder)
## Spec compliance fixes
- OAuth error responses use RFC 6749 §5.2 format ({"error": "...", "error_description": "..."})
- PKCE code_verifier validation per RFC 7636 §4.1
- Scope token matching uses exact whitespace-delimited comparison per RFC 6749 §3.3
- Typed ProviderMetadata struct for the discovery document
- DCR includes policy_uri, tos_uri, software_id, software_version per RFC 7591
Refs: matrix-construct#246, matrix-construct#266
… sync - Add policy_uri, tos_uri, software_id, software_version to DCR per RFC 7591 - Add code_verifier length (43-128) and charset validation per RFC 7636 §4.1 - Warn at startup if OIDC server enabled without identity providers - Include Cargo.lock update for ring dependency
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements a built-in OIDC authorization server that allows Matrix clients like Element X to authenticate via the next-gen auth flow (MSC2964). User authentication is delegated to upstream identity providers (e.g. Kanidm) through the existing SSO/OAuth client flow.
Endpoints
Features
Spec compliance fixes
{"error": "...", "error_description": "..."}) on token, registration, and revocation endpoints instead of Matrix{"errcode": "M_..."}formatProviderMetadatastruct for the discovery document with documented fields per RFC 8414 / OpenID Connect Discovery 1.0policy_uri,tos_uri,software_id,software_versionper RFC 7591Refs: #246, #266