Skip to content

Commit 31e78c2

Browse files
authored
refactor(oidc): Only support public clients (#4634)
This should be the most common case, and is already the only case supported by the higher level APIs like `url_for_oidc` and `login_with_qr_code`. It simplifies the API because we can call `restore_registered_client` directly from `register_client`, which was a TODO. - [x] Public API changes documented in changelogs (optional) --------- Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
1 parent 8a64922 commit 31e78c2

File tree

9 files changed

+187
-146
lines changed

9 files changed

+187
-146
lines changed

bindings/matrix-sdk-ffi/src/client.rs

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,6 @@ use matrix_sdk::{
1111
registrations::{ClientId, OidcRegistrations},
1212
requests::account_management::AccountManagementActionFull,
1313
types::{
14-
client_credentials::ClientCredentials,
1514
registration::{
1615
ClientMetadata, ClientMetadataVerificationError, VerifiedClientMetadata,
1716
},
@@ -1589,11 +1588,7 @@ impl Session {
15891588
},
15901589
issuer,
15911590
} = api.user_session().context("Missing session")?;
1592-
let client_id = api
1593-
.client_credentials()
1594-
.context("OIDC client credentials are missing.")?
1595-
.client_id()
1596-
.to_owned();
1591+
let client_id = api.client_id().context("OIDC client ID is missing.")?.0.clone();
15971592
let client_metadata =
15981593
api.client_metadata().context("OIDC client metadata is missing.")?.clone();
15991594
let oidc_data = OidcSessionData {
@@ -1657,7 +1652,7 @@ impl TryFrom<Session> for AuthSession {
16571652
};
16581653

16591654
let session = OidcSession {
1660-
credentials: ClientCredentials::None { client_id: oidc_data.client_id },
1655+
client_id: ClientId(oidc_data.client_id),
16611656
metadata: oidc_data.client_metadata,
16621657
user: user_session,
16631658
};

crates/matrix-sdk/CHANGELOG.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,16 @@ All notable changes to this project will be documented in this file.
2020
Note that all secrets are uploaded to the server in an encrypted form.
2121
([#4629](https://github.com/matrix-org/matrix-rust-sdk/pull/4629))
2222

23+
### Refactor
24+
25+
- [**breaking**]: The `Oidc` API only supports public clients, i.e. clients
26+
without a secret.
27+
([#4634](https://github.com/matrix-org/matrix-rust-sdk/pull/4634))
28+
- `Oidc::restore_registered_client()` takes a `ClientId` instead of
29+
`ClientCredentials`
30+
- `Oidc::restore_registered_client()` must NOT be called after
31+
`Oidc::register_client()` anymore.
32+
2333
## [0.10.0] - 2025-02-04
2434

2535
### Features

crates/matrix-sdk/src/authentication/oidc/auth_code_builder.rs

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -156,11 +156,8 @@ impl OidcAuthCodeUrlBuilder {
156156

157157
let provider_metadata = oidc.provider_metadata().await?;
158158

159-
let mut authorization_data = AuthorizationRequestData::new(
160-
data.credentials.client_id().to_owned(),
161-
scope,
162-
redirect_uri,
163-
);
159+
let mut authorization_data =
160+
AuthorizationRequestData::new(data.client_id.0.clone(), scope, redirect_uri);
164161
authorization_data.code_challenge_methods_supported =
165162
provider_metadata.code_challenge_methods_supported.clone();
166163
authorization_data.display = display;
@@ -181,8 +178,7 @@ impl OidcAuthCodeUrlBuilder {
181178
let (url, validation_data) = if let Some(par_endpoint) =
182179
&provider_metadata.pushed_authorization_request_endpoint
183180
{
184-
let client_credentials =
185-
oidc.client_credentials().ok_or(OidcError::NotAuthenticated)?;
181+
let client_credentials = oidc.data().ok_or(OidcError::NotAuthenticated)?.credentials();
186182

187183
let res = oidc
188184
.backend

crates/matrix-sdk/src/authentication/oidc/backend/mock.rs

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,10 @@ use crate::authentication::oidc::{AuthorizationCode, OidcSessionTokens};
4242
pub(crate) const ISSUER_URL: &str = "https://oidc.example.com/issuer";
4343
pub(crate) const AUTHORIZATION_URL: &str = "https://oidc.example.com/authorization";
4444
pub(crate) const REVOCATION_URL: &str = "https://oidc.example.com/revocation";
45+
pub(crate) const REGISTRATION_URL: &str = "https://oidc.example.com/register";
4546
pub(crate) const TOKEN_URL: &str = "https://oidc.example.com/token";
4647
pub(crate) const JWKS_URL: &str = "https://oidc.example.com/jwks";
48+
pub(crate) const CLIENT_ID: &str = "test_client_id";
4749

4850
#[derive(Debug)]
4951
pub(crate) struct MockImpl {
@@ -62,6 +64,9 @@ pub(crate) struct MockImpl {
6264
/// Must be an HTTPS URL.
6365
revocation_endpoint: String,
6466

67+
/// Must be an HTTPS URL.
68+
registration_endpoint: Option<Url>,
69+
6570
/// The next session tokens that will be returned by a login or refresh.
6671
next_session_tokens: Option<OidcSessionTokens>,
6772

@@ -86,6 +91,7 @@ impl MockImpl {
8691
token_endpoint: TOKEN_URL.to_owned(),
8792
jwks_uri: JWKS_URL.to_owned(),
8893
revocation_endpoint: REVOCATION_URL.to_owned(),
94+
registration_endpoint: Some(Url::parse(REGISTRATION_URL).unwrap()),
8995
next_session_tokens: None,
9096
expected_refresh_token: None,
9197
num_refreshes: Default::default(),
@@ -108,6 +114,11 @@ impl MockImpl {
108114
self.is_insecure = true;
109115
self
110116
}
117+
118+
pub fn registration_endpoint(mut self, registration_endpoint: Option<Url>) -> Self {
119+
self.registration_endpoint = registration_endpoint;
120+
self
121+
}
111122
}
112123

113124
#[async_trait::async_trait]
@@ -131,6 +142,7 @@ impl OidcBackend for MockImpl {
131142
authorization_endpoint: Some(Url::parse(&self.authorization_endpoint).unwrap()),
132143
revocation_endpoint: Some(Url::parse(&self.revocation_endpoint).unwrap()),
133144
token_endpoint: Some(Url::parse(&self.token_endpoint).unwrap()),
145+
registration_endpoint: self.registration_endpoint.clone(),
134146
jwks_uri: Some(Url::parse(&self.jwks_uri).unwrap()),
135147
response_types_supported: Some(vec![]),
136148
subject_types_supported: Some(vec![]),
@@ -162,7 +174,12 @@ impl OidcBackend for MockImpl {
162174
_client_metadata: VerifiedClientMetadata,
163175
_software_statement: Option<String>,
164176
) -> Result<ClientRegistrationResponse, OidcError> {
165-
unimplemented!()
177+
Ok(ClientRegistrationResponse {
178+
client_id: CLIENT_ID.to_owned(),
179+
client_secret: None,
180+
client_id_issued_at: None,
181+
client_secret_expires_at: None,
182+
})
166183
}
167184

168185
async fn build_par_authorization_url(

0 commit comments

Comments
 (0)