refactor(oidc): Remove support for Pushed Authorization Requests

It is a small optimization which makes the URL smaller, but it is not
part of the next-gen auth MSCs and is not supported by the oauth2 crate,
so let's drop it.

Signed-off-by: Kévin Commaille <[email protected]>

Author: zecakeh

crates/matrix-sdk/src/authentication/oidc/auth_code_builder.rs

@@ -23,7 +23,7 @@ use mas_oidc_client::{
     },
 };
 use ruma::UserId;
-use tracing::{error, info, instrument};
+use tracing::{info, instrument};
 use url::Url;
 
 use super::{Oidc, OidcError};
@@ -171,55 +171,12 @@ impl OidcAuthCodeUrlBuilder {
         }
 
         let authorization_endpoint = provider_metadata.authorization_endpoint();
-        let mut rng = super::rng()?;
-
-        // Try a pushed authorization request if the provider supports it.
-        let (url, validation_data) = if let Some(par_endpoint) =
-            &provider_metadata.pushed_authorization_request_endpoint
-        {
-            let client_credentials = oidc.data().ok_or(OidcError::NotAuthenticated)?.credentials();
-
-            let res = oidc
-                .backend
-                .build_par_authorization_url(
-                    client_credentials.clone(),
-                    par_endpoint,
-                    authorization_endpoint.clone(),
-                    authorization_data.clone(),
-                )
-                .await;
-
-            match res {
-                Ok(res) => res,
-                Err(error) => {
-                    // Keycloak doesn't allow public clients to use the PAR endpoint, so we
-                    // should try a regular authorization URL instead.
-                    // See: <https://github.com/keycloak/keycloak/issues/8939>
-                    let client_metadata =
-                        oidc.client_metadata().ok_or(OidcError::NotAuthenticated)?;
-
-                    // If the client said that PAR should be enforced, we should not try without
-                    // it, so just return the error.
-                    if client_metadata.require_pushed_authorization_requests.unwrap_or(false) {
-                        return Err(error);
-                    }
-
-                    error!(
-                        ?error,
-                        "Error making a request to the Pushed Authorization Request endpoint. \
-                        Falling back to a regular authorization URL"
-                    );
-
-                    build_authorization_url(
-                        authorization_endpoint.clone(),
-                        authorization_data,
-                        &mut rng,
-                    )?
-                }
-            }
-        } else {
-            build_authorization_url(authorization_endpoint.clone(), authorization_data, &mut rng)?
-        };
+
+        let (url, validation_data) = build_authorization_url(
+            authorization_endpoint.clone(),
+            authorization_data,
+            &mut super::rng()?,
+        )?;
 
         let state = validation_data.state.clone();
 

crates/matrix-sdk/src/authentication/oidc/backend/mock.rs

@@ -22,7 +22,7 @@ use mas_oidc_client::{
         DiscoveryError as OidcDiscoveryError, Error as OidcClientError, ErrorBody as OidcErrorBody,
         HttpError as OidcHttpError, TokenRefreshError, TokenRequestError,
     },
-    requests::authorization_code::{AuthorizationRequestData, AuthorizationValidationData},
+    requests::authorization_code::AuthorizationValidationData,
     types::{
         client_credentials::ClientCredentials,
         errors::ClientErrorCode,
@@ -192,16 +192,6 @@ impl OidcBackend for MockImpl {
         })
     }
 
-    async fn build_par_authorization_url(
-        &self,
-        _client_credentials: ClientCredentials,
-        _par_endpoint: &Url,
-        _authorization_endpoint: Url,
-        _authorization_data: AuthorizationRequestData,
-    ) -> Result<(Url, AuthorizationValidationData), OidcError> {
-        unimplemented!()
-    }
-
     async fn revoke_token(
         &self,
         _client_credentials: ClientCredentials,

crates/matrix-sdk/src/authentication/oidc/backend/mod.rs

@@ -17,7 +17,7 @@
 //! Used mostly for testing purposes.
 
 use mas_oidc_client::{
-    requests::authorization_code::{AuthorizationRequestData, AuthorizationValidationData},
+    requests::authorization_code::AuthorizationValidationData,
     types::{
         client_credentials::ClientCredentials,
         iana::oauth::OAuthTokenTypeHint,
@@ -72,14 +72,6 @@ pub(super) trait OidcBackend: std::fmt::Debug + Send + Sync {
         latest_id_token: Option<IdToken<'static>>,
     ) -> Result<RefreshedSessionTokens, OidcError>;
 
-    async fn build_par_authorization_url(
-        &self,
-        client_credentials: ClientCredentials,
-        par_endpoint: &Url,
-        authorization_endpoint: Url,
-        authorization_data: AuthorizationRequestData,
-    ) -> Result<(Url, AuthorizationValidationData), OidcError>;
-
     async fn revoke_token(
         &self,
         client_credentials: ClientCredentials,

crates/matrix-sdk/src/authentication/oidc/backend/server.rs

@@ -23,10 +23,7 @@ use mas_oidc_client::{
     http_service::HttpService,
     jose::jwk::PublicJsonWebKeySet,
     requests::{
-        authorization_code::{
-            access_token_with_authorization_code, build_par_authorization_url,
-            AuthorizationRequestData, AuthorizationValidationData,
-        },
+        authorization_code::{access_token_with_authorization_code, AuthorizationValidationData},
         discovery::{discover, insecure_discover},
         jose::{fetch_jwks, JwtVerificationData},
         refresh_token::refresh_access_token,
@@ -225,25 +222,6 @@ impl OidcBackend for OidcServer {
         .map_err(Into::into)
     }
 
-    async fn build_par_authorization_url(
-        &self,
-        client_credentials: ClientCredentials,
-        par_endpoint: &Url,
-        authorization_endpoint: Url,
-        authorization_data: AuthorizationRequestData,
-    ) -> Result<(Url, AuthorizationValidationData), OidcError> {
-        Ok(build_par_authorization_url(
-            &self.http_service(),
-            client_credentials,
-            par_endpoint,
-            authorization_endpoint,
-            authorization_data,
-            Utc::now(),
-            &mut rng()?,
-        )
-        .await?)
-    }
-
     async fn revoke_token(
         &self,
         client_credentials: ClientCredentials,