continuwuation/continuwuity
9
17
Fork 10
Code Issues 78 Pull requests 9 Projects Releases 16 Packages 1 Activity Actions 1

Implement MSC3861 support for OIDC authentication #209

New issue
Closed
opened 2024-03-09 22:13:16 +00:00 by tcpipuk · 11 comments
tcpipuk commented 2024-03-09 22:13:16 +00:00 (Migrated from github.com)
Copy link

Many server admins prefer to centralise their authentication, so they can use a single system for login across all of their applications, then use one (ideally MFA) system for their users to login.

This simplifies user management, but also helps avoid requests for user management features, as password management and 3PID are handled by the OIDC provider instead of the Matrix server.

The overall MSC3861 exists for this, and has not yet been merged, but it's approaching maturity and MSC2964 specifies a comprehensive list of endpoints a server would require to handle OIDC authentication.

Many server admins prefer to centralise their authentication, so they can use a single system for login across all of their applications, then use one (ideally MFA) system for their users to login. This simplifies user management, but also helps avoid requests for user management features, as password management and 3PID are handled by the OIDC provider instead of the Matrix server. The overall [MSC3861](https://github.com/matrix-org/matrix-spec-proposals/pull/3861) exists for this, and has not yet been merged, but it's approaching maturity and [MSC2964](https://github.com/sandhose/matrix-doc/blob/msc/sandhose/oauth2-profile/proposals/2964-oauth2-profile.md) specifies a comprehensive list of endpoints a server would require to handle OIDC authentication.
👍 26 👀 2 ❤️ 7
zoujiaqing commented 2024-04-03 01:19:00 +00:00 (Migrated from github.com)
Copy link

Good!
This feature is very good!

Good! This feature is very good!
🚀 3
zoujiaqing commented 2024-04-03 01:35:40 +00:00 (Migrated from github.com)
Copy link

conduit support OIDC status:
https://gitlab.com/famedly/conduit/-/merge_requests/587

conduit support OIDC status: https://gitlab.com/famedly/conduit/-/merge_requests/587
wrenix commented 2024-07-01 08:25:10 +00:00 (Migrated from github.com)
Copy link

Moved to here:
https://gitlab.com/famedly/conduit/-/merge_requests/676

Moved to here: https://gitlab.com/famedly/conduit/-/merge_requests/676
morguldir commented 2024-07-01 14:23:08 +00:00 (Migrated from github.com)
Copy link

That's legacy SSO from my understanding, still interesting though

That's legacy SSO from my understanding, still interesting though
bartvdbraak commented 2024-11-15 02:00:36 +00:00 (Migrated from github.com)
Copy link

I'd love to add this feature to my HS!

I'd love to add this feature to my HS!
👍 4
lafleurdeboum commented 2025-03-13 15:58:27 +00:00 (Migrated from github.com)
Copy link

Please correct me if I'm wrong :

  • we could support MSC3861 either by implementing all endpoints in MSC2964, or by supporting external authentication providers, such as keycloak, ory or matrix-authentication-service - ideally, any OAuth2 provider
  • the latter would require less work and prove more useful, as it would let conduwuit administrators integrate a matrix service behind an existing auth service
  • MSC3861 and related describe the clients' requested features in great details, but don't tell what it takes for a homeserver to use an authentication provider
  • MSC3861 complies with OAuth2, so RFC7662 is relevant to implement token in(tro)spection
  • matrix-authentication-service says it only supports Synapse, but if it complies with MSC3861 which in turn complies with OAuth2, then its homeserver-facing API should comply with some canonical URI
  • the bare minimum would be to implement the authentication server advertising (MSC2964), and token inspection (previous RFC) - that would at least let clients get an access token, refresh it, and change the user's password using the authentication server, and let users access their account with that token - MSC3861-ready clients should do the needed transactions directly with the auth provider
Please correct me if I'm wrong : - we could support MSC3861 either by implementing all endpoints in MSC2964, or by supporting external authentication providers, such as keycloak, [ory](https://www.ory.sh/docs/welcome) or [matrix-authentication-service](https://element-hq.github.io/matrix-authentication-service) - ideally, any OAuth2 provider - the latter would require less work and prove more useful, as it would let conduwuit administrators integrate a matrix service behind an existing auth service - MSC3861 and related describe the clients' requested features in great details, but don't tell what it takes for a homeserver to use an authentication provider - MSC3861 complies with OAuth2, so [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662) is relevant to implement token in(tro)spection - matrix-authentication-service says it only supports Synapse, but if it complies with MSC3861 which in turn complies with OAuth2, then its homeserver-facing API should comply with some canonical URI - the bare minimum would be to implement the authentication server advertising (MSC2964), and token inspection (previous RFC) - that would at least let clients get an access token, refresh it, and change the user's password using the authentication server, and let users access their account with that token - MSC3861-ready clients should do the needed transactions directly with the auth provider
lafleurdeboum commented 2025-03-13 16:03:49 +00:00 (Migrated from github.com)
Copy link

... Or perhaps OAuth2 doesn't prescribe canonical URIs for eg token introspection, and we'll have to use distinct APIs depending on what auth provider we support 😥

I skimmed through RFC6749 (oauth2) and RFC7662 (token introspection), I couldn't find no URI prescription.

So I guess auth providers are free to provide their own API endpoints. I found in Synapse's MSC3861 implementation that OpenID Connect Discovery can be queried at an auth provider's /.well-known/openid-configuration to reveal its configuration.

... Or perhaps OAuth2 doesn't prescribe canonical URIs for eg token introspection, and we'll have to use distinct APIs depending on what auth provider we support 😥 I skimmed through [RFC6749](https://datatracker.ietf.org/doc/html/rfc6749) (oauth2) and [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662) (token introspection), I couldn't find no URI prescription. ~So I guess auth providers are free to provide their own API endpoints.~ I found in [Synapse's MSC3861 implementation](https://github.com/element-hq/synapse/blob/ca290d325c762968e66842470475f05ae71a2aea/synapse/api/auth/msc3861_delegated.py#L181) that [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig) can be queried at an auth provider's `/.well-known/openid-configuration` to reveal its configuration.
samip5 commented 2025-04-03 13:07:37 +00:00 (Migrated from github.com)
Copy link

It seems that upstream conduit has an PR for SSO: https://gitlab.com/famedly/conduit/-/merge_requests/676

It seems that upstream conduit has an PR for SSO: https://gitlab.com/famedly/conduit/-/merge_requests/676
girlbossceo commented 2025-04-03 13:08:58 +00:00 (Migrated from github.com)
Copy link

It has countless code flaws and problems, maintenance issues, and the author of the MR has left Conduit and has abandoned the MR. We will not be working off of this.

It has countless code flaws and problems, maintenance issues, and the author of the MR has left Conduit and has abandoned the MR. We will not be working off of this.
samip5 commented 2025-04-03 13:16:47 +00:00 (Migrated from github.com)
Copy link

As I haven't really coded Rust (But Python, TypeScript and Go) at all, to me it doesn't appear that bad that we couldn't be working off it?

As I haven't really coded Rust (But Python, TypeScript and Go) at all, to me it doesn't appear that bad that we couldn't be working off it?
👎 2
nex added the
Inherited
 label 2025-04-14 23:38:18 +00:00
nex commented 2025-04-30 14:24:01 +00:00
Owner
Copy link

Duplicate of #765

Duplicate of #765
nex closed this issue 2025-04-30 14:24:01 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
illegal-car-mods
nex/fix-create-auth
jade/relations
jade/sec-policy-fixes
jade/msc2815
jade/syncv5-typing
jade/security-policy
nex/fix-eager-empty-sync
nex/fix-join-sync-state
jade/purge-sync-tokens
jade/logging-features
jade/ci-fix-tom
morguldir/see-eye
jade/auto-support-creation
jade/rust-toolchain-no-targets
jade/fix-knock-restricted
jade/tuwunel-2025-05
jade/css-small-screen
jade/ci-checks
jade/more-renames
nex/wip-751
jade/typos
jade/html-default-page
dahsa_uwu/axum-0.8
tcpipuk/cinny
jade/messages-more-strict-validation
jade/read-receipts
jade/announcements-checker
jade/tuwunel-ci
tuwunel-rebase
jade/enable-buildx-cache
jade/docker-ci
test
renovate/nixos-nix-2.x
renovate/smallvec-1.x-lockfile
renovate/lock-file-maintenance
renovate/axum-client-ip-1.x
renovate/rand-0.x
renovate/ctor-0.x
renovate/cargo_toml-0.x
renovate/axum-client-ip-0.x
renovate/opentelemetry-rust-monorepo
renovate/axum-monorepo
renovate/itertools-0.x
strawberry/nix-ci-stuff
strawberry/valgrind
strawberry/morgs-snake-sync-jason-main
newer-media-endpoints
folly-coroutines-async-io
federation-retry-timer-port
bad-attempt-at-extracting-homeserver-signing-key
room-deletion-attempt-do-not-use
v0.5.0-rc.5
v0.5.0-rc4
v0.5.0-rc3
v0.5.0-rc2
v0.5.0-rc
v0.4.7-rc
v0.4.6
v0.4.6-rc
v0.4.5-rc
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
Labels
Clear labels   
Bug

Something isn't working as intended

  
Cherry-picking

Commits picked from other conduit projects

  
Database

This requires or includes changes to the database

  
Dependencies

Something dependency related

  
Documentation

Improvements or additions to documentation

  
Enhancement

New feature or request

  
Good first issue

Good for newcomers

  
Help wanted

Additional eyes and keyboards are required for this one

  
Inherited

Issues that have been inhereted from the project pre-fork

  
Matrix/Administration

Features pertaining to homeserver administration

  
Matrix/Appservices

Features pertaining to the appservice API

  
Matrix/Auth

Features pertaining to authentication

  
Matrix/Client

Features pertaining to client-to-server interactions

  
Matrix/Core

   
Matrix/Federation

Features pertaining to server-to-server interactions

  
Matrix/MSC

Features pertaining to unstable matrix features

  
Matrix/Media

Features pertaining to media interactions

  
Meta

Related to housekeeping, maintenance, or other repo-meta.

  
Meta/Packaging

Packaging

  
Priority
Blocking
This issue is blocking the next release

  
Priority
High
This issue is very important

  
Priority
Low
This issue is of a rather low priority

  
Security

This item is related to general security

  
Status
Confirmed

  
Status
Duplicate
This issue or pull request already exists

  
Status
Invalid
This issue doesn't seem right

  
Status
Needs Investigation
This issue needs further investigation

  
Wont fix

This will not be worked on

  
old/ci/cd

Ci/CD

Archived

  
old/rust

Pull requests that update Rust code

Archived

No labels
Bug
Cherry-picking
Database
Dependencies
Documentation
Enhancement
Good first issue
Help wanted
Inherited
Matrix/Administration
Matrix/Appservices
Matrix/Auth
Matrix/Client
Matrix/Core
Matrix/Federation
Matrix/MSC
Matrix/Media
Meta
Meta/Packaging
Priority
Blocking
Priority
High
Priority
Low
Security
Status
Confirmed
Status
Duplicate
Status
Invalid
Status
Needs Investigation
Wont fix
old/ci/cd
old/rust
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: continuwuation/continuwuity#209
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?