refactor(oidc): Only support public clients (#4634)

This should be the most common case, and is already the only case
supported by the higher level APIs like `url_for_oidc` and
`login_with_qr_code`. It simplifies the API because we can call
`restore_registered_client` directly from `register_client`, which was a
TODO.

- [x] Public API changes documented in changelogs (optional)

---------

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>

Author: zecakeh

bindings/matrix-sdk-ffi/src/client.rs

@@ -11,7 +11,6 @@ use matrix_sdk::{
         registrations::{ClientId, OidcRegistrations},
         requests::account_management::AccountManagementActionFull,
         types::{
-            client_credentials::ClientCredentials,
             registration::{
                 ClientMetadata, ClientMetadataVerificationError, VerifiedClientMetadata,
             },
@@ -1589,11 +1588,7 @@ impl Session {
                         },
                     issuer,
                 } = api.user_session().context("Missing session")?;
-                let client_id = api
-                    .client_credentials()
-                    .context("OIDC client credentials are missing.")?
-                    .client_id()
-                    .to_owned();
+                let client_id = api.client_id().context("OIDC client ID is missing.")?.0.clone();
                 let client_metadata =
                     api.client_metadata().context("OIDC client metadata is missing.")?.clone();
                 let oidc_data = OidcSessionData {
@@ -1657,7 +1652,7 @@ impl TryFrom<Session> for AuthSession {
             };
 
             let session = OidcSession {
-                credentials: ClientCredentials::None { client_id: oidc_data.client_id },
+                client_id: ClientId(oidc_data.client_id),
                 metadata: oidc_data.client_metadata,
                 user: user_session,
             };

crates/matrix-sdk/CHANGELOG.md

@@ -20,6 +20,16 @@ All notable changes to this project will be documented in this file.
   Note that all secrets are uploaded to the server in an encrypted form.
   ([#4629](https://github.com/matrix-org/matrix-rust-sdk/pull/4629))
 
+### Refactor
+
+- [**breaking**]: The `Oidc` API only supports public clients, i.e. clients
+  without a secret.
+  ([#4634](https://github.com/matrix-org/matrix-rust-sdk/pull/4634))
+  - `Oidc::restore_registered_client()` takes a `ClientId` instead of
+    `ClientCredentials`
+  - `Oidc::restore_registered_client()` must NOT be called after
+    `Oidc::register_client()` anymore.
+
 ## [0.10.0] - 2025-02-04
 
 ### Features

crates/matrix-sdk/src/authentication/oidc/auth_code_builder.rs

@@ -156,11 +156,8 @@ impl OidcAuthCodeUrlBuilder {
 
         let provider_metadata = oidc.provider_metadata().await?;
 
-        let mut authorization_data = AuthorizationRequestData::new(
-            data.credentials.client_id().to_owned(),
-            scope,
-            redirect_uri,
-        );
+        let mut authorization_data =
+            AuthorizationRequestData::new(data.client_id.0.clone(), scope, redirect_uri);
         authorization_data.code_challenge_methods_supported =
             provider_metadata.code_challenge_methods_supported.clone();
         authorization_data.display = display;
@@ -181,8 +178,7 @@ impl OidcAuthCodeUrlBuilder {
         let (url, validation_data) = if let Some(par_endpoint) =
             &provider_metadata.pushed_authorization_request_endpoint
         {
-            let client_credentials =
-                oidc.client_credentials().ok_or(OidcError::NotAuthenticated)?;
+            let client_credentials = oidc.data().ok_or(OidcError::NotAuthenticated)?.credentials();
 
             let res = oidc
                 .backend

crates/matrix-sdk/src/authentication/oidc/backend/mock.rs

@@ -42,8 +42,10 @@ use crate::authentication::oidc::{AuthorizationCode, OidcSessionTokens};
 pub(crate) const ISSUER_URL: &str = "https://oidc.example.com/issuer";
 pub(crate) const AUTHORIZATION_URL: &str = "https://oidc.example.com/authorization";
 pub(crate) const REVOCATION_URL: &str = "https://oidc.example.com/revocation";
+pub(crate) const REGISTRATION_URL: &str = "https://oidc.example.com/register";
 pub(crate) const TOKEN_URL: &str = "https://oidc.example.com/token";
 pub(crate) const JWKS_URL: &str = "https://oidc.example.com/jwks";
+pub(crate) const CLIENT_ID: &str = "test_client_id";
 
 #[derive(Debug)]
 pub(crate) struct MockImpl {
@@ -62,6 +64,9 @@ pub(crate) struct MockImpl {
     /// Must be an HTTPS URL.
     revocation_endpoint: String,
 
+    /// Must be an HTTPS URL.
+    registration_endpoint: Option<Url>,
+
     /// The next session tokens that will be returned by a login or refresh.
     next_session_tokens: Option<OidcSessionTokens>,
 
@@ -86,6 +91,7 @@ impl MockImpl {
             token_endpoint: TOKEN_URL.to_owned(),
             jwks_uri: JWKS_URL.to_owned(),
             revocation_endpoint: REVOCATION_URL.to_owned(),
+            registration_endpoint: Some(Url::parse(REGISTRATION_URL).unwrap()),
             next_session_tokens: None,
             expected_refresh_token: None,
             num_refreshes: Default::default(),
@@ -108,6 +114,11 @@ impl MockImpl {
         self.is_insecure = true;
         self
     }
+
+    pub fn registration_endpoint(mut self, registration_endpoint: Option<Url>) -> Self {
+        self.registration_endpoint = registration_endpoint;
+        self
+    }
 }
 
 #[async_trait::async_trait]
@@ -131,6 +142,7 @@ impl OidcBackend for MockImpl {
             authorization_endpoint: Some(Url::parse(&self.authorization_endpoint).unwrap()),
             revocation_endpoint: Some(Url::parse(&self.revocation_endpoint).unwrap()),
             token_endpoint: Some(Url::parse(&self.token_endpoint).unwrap()),
+            registration_endpoint: self.registration_endpoint.clone(),
             jwks_uri: Some(Url::parse(&self.jwks_uri).unwrap()),
             response_types_supported: Some(vec![]),
             subject_types_supported: Some(vec![]),
@@ -162,7 +174,12 @@ impl OidcBackend for MockImpl {
         _client_metadata: VerifiedClientMetadata,
         _software_statement: Option<String>,
     ) -> Result<ClientRegistrationResponse, OidcError> {
-        unimplemented!()
+        Ok(ClientRegistrationResponse {
+            client_id: CLIENT_ID.to_owned(),
+            client_secret: None,
+            client_id_issued_at: None,
+            client_secret_expires_at: None,
+        })
     }
 
     async fn build_par_authorization_url(