refactor(auth-qrcode): Use oauth2 crate instead of openidconnect

The MSCs are now only based on OAuth 2.0, which is simpler than OpenID Connect.

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>

Author: zecakeh

Cargo.lock

@@ -53,7 +53,7 @@ experimental-oidc = [
     "dep:rand",
     "dep:sha2",
     "dep:tower",
-    "dep:openidconnect",
+    "dep:oauth2",
 ]
 experimental-widgets = ["dep:language-tags", "dep:uuid"]
 
@@ -129,7 +129,7 @@ tokio = { workspace = true, features = ["macros"] }
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 backoff = { version = "0.4.0", features = ["tokio"] }
-openidconnect = { version = "4.0.0", optional = true }
+oauth2 = { version = "5.0.0", default-features = false, features = ["reqwest"], optional = true }
 # only activate reqwest's stream feature on non-wasm, the wasm part seems to not
 # support *sending* streams, which makes it useless for us.
 reqwest = { workspace = true, features = ["stream", "gzip", "http2"] }

crates/matrix-sdk/Cargo.toml

@@ -24,7 +24,7 @@ use matrix_sdk_base::{
     crypto::types::qr_login::{QrCodeData, QrCodeMode},
     SessionMeta,
 };
-use openidconnect::DeviceCodeErrorResponseType;
+use oauth2::DeviceCodeErrorResponseType;
 use ruma::OwnedDeviceId;
 use tracing::trace;
 use vodozemac::ecies::CheckCode;
@@ -291,38 +291,33 @@ impl<'a> LoginWithQrCode<'a> {
     }
 
     async fn register_client(&self) -> Result<OidcClient, DeviceAuhorizationOidcError> {
+        let oidc = self.client.oidc();
+
         // Let's figure out the OIDC issuer, this fetches the info from the homeserver.
-        let issuer = self
-            .client
-            .oidc()
+        let issuer = oidc
             .fetch_authentication_issuer()
             .await
             .map_err(DeviceAuhorizationOidcError::AuthenticationIssuer)?;
 
         // Now we register the client with the OIDC provider.
         let registration_response =
-            self.client.oidc().register_client(&issuer, self.client_metadata.clone(), None).await?;
+            oidc.register_client(&issuer, self.client_metadata.clone(), None).await?;
 
-        // Now we need to put the relevant data we got from the regustration response
+        // Now we need to put the relevant data we got from the registration response
         // into the `Client`.
         // TODO: Why isn't `oidc().register_client()` doing this automatically?
-        self.client.oidc().restore_registered_client(
+        oidc.restore_registered_client(
             issuer.clone(),
             self.client_metadata.clone(),
             ClientCredentials::None { client_id: registration_response.client_id.clone() },
         );
 
-        // We're now switching to the openidconnect crate, it has a bit of a strange API
+        // We're now switching to the oauth2 crate, it has a bit of a strange API
         // where you need to provide the HTTP client in every call you make.
         let http_client = self.client.inner.http_client.clone();
+        let server_metadata = oidc.provider_metadata().await?;
 
-        OidcClient::new(
-            registration_response.client_id,
-            issuer,
-            http_client,
-            registration_response.client_secret.as_deref(),
-        )
-        .await
+        OidcClient::new(registration_response.client_id, &server_metadata, http_client)
     }
 }
 
@@ -633,13 +628,15 @@ mod test {
 
             })))
             .expect(1)
+            .named("auth_issuer")
             .mount(server)
             .await;
 
         Mock::given(method("GET"))
             .and(path("/.well-known/openid-configuration"))
             .respond_with(ResponseTemplate::new(200).set_body_json(open_id_configuration(server)))
             .expect(1..)
+            .named("server_metadata")
             .mount(server)
             .await;
 
@@ -650,26 +647,29 @@ mod test {
                 "client_id_issued_at": 1716375696
             })))
             .expect(1)
+            .named("registration_endpoint")
             .mount(server)
             .await;
 
         Mock::given(method("GET"))
             .and(path("/oauth2/keys.json"))
             .respond_with(ResponseTemplate::new(200).set_body_json(keys_json()))
-            .expect(1)
+            .named("jwks")
             .mount(server)
             .await;
 
         Mock::given(method("POST"))
             .and(path("/oauth2/device"))
             .respond_with(ResponseTemplate::new(200).set_body_json(device_code(server)))
             .expect(1)
+            .named("device_authorization_endpoint")
             .mount(server)
             .await;
 
         Mock::given(method("POST"))
             .and(path("/oauth2/token"))
             .respond_with(token_response)
+            .named("token_endpoint")
             .mount(server)
             .await;
     }

crates/matrix-sdk/src/authentication/qrcode/login.rs

@@ -14,8 +14,8 @@
 
 use matrix_sdk_base::crypto::types::SecretsBundle;
 use matrix_sdk_common::deserialized_responses::PrivOwnedStr;
-use openidconnect::{
-    core::CoreDeviceAuthorizationResponse, EndUserVerificationUrl, VerificationUriComplete,
+use oauth2::{
+    EndUserVerificationUrl, StandardDeviceAuthorizationResponse, VerificationUriComplete,
 };
 use ruma::serde::StringEnum;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
@@ -107,8 +107,8 @@ impl QrAuthMessage {
     }
 }
 
-impl From<&CoreDeviceAuthorizationResponse> for AuthorizationGrant {
-    fn from(value: &CoreDeviceAuthorizationResponse) -> Self {
+impl From<&StandardDeviceAuthorizationResponse> for AuthorizationGrant {
+    fn from(value: &StandardDeviceAuthorizationResponse) -> Self {
         Self {
             verification_uri: value.verification_uri().clone(),
             verification_uri_complete: value.verification_uri_complete().cloned(),

crates/matrix-sdk/src/authentication/qrcode/messages.rs

@@ -24,9 +24,10 @@
 
 use as_variant::as_variant;
 use matrix_sdk_base::crypto::SecretImportError;
-pub use openidconnect::{
-    core::CoreErrorResponseType, ConfigurationError, DeviceCodeErrorResponseType, DiscoveryError,
-    HttpClientError, RequestTokenError, StandardErrorResponse,
+pub use oauth2::{
+    basic::{BasicErrorResponse, BasicRequestTokenError},
+    ConfigurationError, DeviceCodeErrorResponse, DeviceCodeErrorResponseType, HttpClientError,
+    RequestTokenError, StandardErrorResponse,
 };
 use thiserror::Error;
 use url::Url;
@@ -115,14 +116,9 @@ pub enum DeviceAuhorizationOidcError {
     #[error(transparent)]
     Oidc(#[from] crate::authentication::oidc::OidcError),
 
-    /// The issuer URL failed to be parsed.
-    #[error(transparent)]
-    InvalidIssuerUrl(#[from] url::ParseError),
-
-    /// There was an error with our device configuration right before attempting
-    /// to wait for the access token to be issued by the OIDC provider.
-    #[error(transparent)]
-    Configuration(#[from] ConfigurationError),
+    /// The OAuth 2.0 server doesn't support the device authorization grant.
+    #[error("OAuth 2.0 server doesn't support the device authorization grant")]
+    NoDeviceAuthorizationEndpoint,
 
     /// An error happened while we attempted to discover the authentication
     /// issuer URL.
@@ -132,28 +128,14 @@ pub enum DeviceAuhorizationOidcError {
     /// An error happened while we attempted to request a device authorization
     /// from the OIDC provider.
     #[error(transparent)]
-    DeviceAuthorization(
-        #[from]
-        RequestTokenError<
-            HttpClientError<reqwest::Error>,
-            StandardErrorResponse<CoreErrorResponseType>,
-        >,
-    ),
+    DeviceAuthorization(#[from] BasicRequestTokenError<HttpClientError<reqwest::Error>>),
 
     /// An error happened while waiting for the access token to be issued and
     /// sent to us by the OIDC provider.
     #[error(transparent)]
     RequestToken(
-        #[from]
-        RequestTokenError<
-            HttpClientError<reqwest::Error>,
-            StandardErrorResponse<DeviceCodeErrorResponseType>,
-        >,
+        #[from] RequestTokenError<HttpClientError<reqwest::Error>, DeviceCodeErrorResponse>,
     ),
-
-    /// An error happened during the discovery of the OIDC provider metadata.
-    #[error(transparent)]
-    Discovery(#[from] DiscoveryError<HttpClientError<reqwest::Error>>),
 }
 
 impl DeviceAuhorizationOidcError {