BREAKING: implement Native OIDC as per MSC 3861

[TheOneWithTheBraid]

BREAKING: changes to the database API to better reflect the OIDC state

This implementation is based on the draft of native OIDC I implemented in < polycule >. It can be found here. Unlike in my initial draft, this implementation of course does not rely on any Flutter package but ships a minimal OIDC state machine relying on the matrix client to provide the native callback result via a Completer.

This implementation does not aim to comply to the full OIDC standard but only the subset required as per the MSCs stated below.

This PR does not aim to implement OIDC device flow as per MSC 4108 nor the changes for the application services as per MSC 4190.

Roadmap:

• initial viable implementation
• migrate the < polycule > implementation to this OIDC stack
• excessive testing
• figure out a test concept

Implements:

• MSC 3861 - Next-generation auth for Matrix, based on OAuth 2.0/OIDC
  • MSC 1597 - Better spec for matrix identifiers
  • MSC 2964 - Usage of OAuth 2.0 authorization code grant and refresh token grant
  • MSC 2965 - OAuth 2.0 Authorization Server Metadata discovery
  • MSC 2966 - Usage of OAuth 2.0 Dynamic Client Registration in Matrix
  • MSC 2967 - API scopes
  • MSC 3824 - OIDC aware clients
  • MSC 4108 - Mechanism to allow OIDC sign in and E2EE set up via QR code - not planned for this PR
  • MSC 4190 - Device management for application services - not planned for this PR
  • MSC 4191 - Account management deep-linking

[TheOneWithTheBraid]

A comment on the changes to the database API:

I initially intended to just keep all OIDC-related state (device ID, OAuth2.0 client ID, auth metadata) in memory until the OIDC flow completes. I sadly figured out the Dart process might get killed by the platform for battery optimization. In order to complete the flow after the main process was killed, I decided to store the OAuth2 client ID and the homeserver's auth metadata in the database as well as to split the device ID from the remaining client store since now the device ID is present a long time before the rest of the account is available.

Even though I so far already implemented the database API changes with this in mind, there is no way to resume an OIDC flow from a new thread yet.

[TheOneWithTheBraid]

Outdated review hint

Review notice: So far, the default behavior of the updated Client.getWellknown is to only check the brand new /auth_metadata endpoint. This might require Synapse nightly builds to work. Client developers however are free to use the previous revision of the MSC suggesting to use the /auth_issuer endpoint or the .well-known entry containing the org.matrix.msc2965.authentication field. All three possible implementations are supported in this PR. Since the default is definitely going to be the new /auth_metadata, the implementation already suggests this at this point.

EDIT: I adjusted the behavior of Client.getWellknown to cope with all three permitted approaches of OIDC discovery. The implementation will therefore work with both stable Synapse releases as well as cutting edge Synapse builds already using the newest approach.

You can now easily use e.g. synapse-oidc.element.dev for testing.

[TheOneWithTheBraid]

The < polycule > side implementation is now merged and works like a charm. Maybe that's helpful for testing this PR in real world: https://gitlab.com/polycule_client/polycule/-/merge_requests/245

[TheOneWithTheBraid]

Since I unaskedly opened this PR, I'd kindly offer to take care of the OIDC code's maintenance in future too. You folks all have my MXID and can always poke me if there are future issues about the OIDC code.

[TheOneWithTheBraid]

Clients might require the following workaround for #2027 : #2027 (comment)

[TheOneWithTheBraid]

Is there any update on review of this PR ? It's now been months and months of waiting and I still did not even get a response on whether you are actually willing to ever accept this contribution. Instead only vaguely related comments.

[td-famedly]

helo :3 sorry for the delay. I will now start reading the msc(s) and try to get back to this asap!

(still expecting a marklin set on my bday!)

edit:

It's now been months and months of waiting and I still did not even get a response on whether you are actually willing to ever accept this contribution. Instead only vaguely related comments.

Sorry for the delay, everyone internally has been super busy with "work". I have not heard anything about not accepting this contribution so I will review it with the end goal of getting it merged asap! Again thank you very much for the contribution and sorry for the delay!

[td-famedly]

very draft review, will try to go through the whole flow and look at the client implementation after this

[td-famedly]

would it be possible to add tests for this?

[td-famedly]

nitpick repeated bit, would it be possible to deduplicate it?

[TheOneWithTheBraid]

We can't deduplicate this without adding a ! null check we can avoid. Better variables duplicated than unsound null safety.

[td-famedly]

only a little bit concerned that this is a draft msc

[TheOneWithTheBraid]

Yeah, it's a draft but a) it doesn't break anything and b) it's so much of a simple MSC, I don't see much regression in it - even if we should happen to adjust the behavior later in time.

[td-famedly]

nitpick but having a map key as null doesn't really look right. Would {clientName: locale?} be better here? A little wrapper class would probably be a bit cleaner

[TheOneWithTheBraid]

Hmmmm, a null key in the map is sadly exactly what the Dart Uir class expects for its queryParameters property. I do not see need for introducing a new helper class just in order to later map it to a Uri.queryParameters instance again just because the syntax of this parameter is a bit weird. What would be the benefit for end users ? They won't touch this part of the code anyway since they only provide the parameters the SDK will later write into the Map.

[td-famedly]

If the prompt doesn't match, do we want to continue?

[TheOneWithTheBraid]

Yes. A client might request a prompt the server does not know. Using this handler here, the authentication server will fall back on the default selection showing all possible ways to proceed. The only behavior we need to avoid is passing an invalid prompt since this would cause the authentication server to show an error screen.

[TheOneWithTheBraid]

(E.g. a client could hard-code the two prompts login and register. In this case the SDK takes care of not prompting an invalid option to the MAS if e.g. registration is disabled.)

[TheOneWithTheBraid]

In fact, it's a pure convenience feature making client implementation easier and more reliable.

[td-famedly]

Can you make sure to remove ALL the padding?

[TheOneWithTheBraid]

Dart's base64 codec only adds the trailing = as padding, doesn't it ? Any suggestions how to better handle the padding ? I'm a bit clueless on how to do this without over engineering the implementation. Help appreciated.

[krille-chan]

I don't think we need this. Just use getClient() and pick what you need from it. To have it type safe we could later migrate it to returning a Dart Record.
Yeah that would fetch more data than necessary but I would prefer this over having the database API even more complex.

[krille-chan]

Why do we need the stored device ID and can't just use Client.deviceID? It should be the same

[krille-chan]

Can you add more comments what this does? The method name is super unintuitive. Links to the MSCs would also be more helpful than MSC numbers.

[krille-chan]

The method name says nothing about what it does? No idea what this is flow. Please switch this to a proper name with dart docs

[krille-chan]

I doubt that this really needs to be waited for. Can't we just make it part of the Database.getClient call?

[krille-chan]

Looks quite good so far, though I'm not that into the MSCs of Matrix. Will test out if it works with oidc login on FluffyChat soon...

[krille-chan]

Can you add an example how to actually use this?