continuwuation/continuwuity
9
17
Fork 10
Code Issues 78 Pull requests 9 Projects Releases 16 Packages 1 Activity Actions 1

feat: OIDC and external authentication providers #765

New issue
Open
opened 2025-04-16 19:27:12 +00:00 by nex · 4 comments
nex commented 2025-04-16 19:27:12 +00:00
Owner
Copy link

Being able to delegate authentication to an external provider can be beneficial for reducing the number passwords people need to use, as well as allowing us to skip the anti-spam steps of email verification and captcha checking.

Also, something something MAS

Being able to delegate authentication to an external provider can be beneficial for reducing the number passwords people need to use, as well as allowing us to skip the anti-spam steps of email verification and captcha checking. Also, something something MAS
nex added the
Enhancement
Matrix/Administration
Matrix/Client
Matrix/Auth
 labels 2025-04-16 19:27:12 +00:00
Jade commented 2025-04-17 00:17:06 +00:00
Owner
Copy link

It's probably worth skipping implementing legacy OIDC and doing this as we implement the new OAuth MSCs

It's probably worth skipping implementing legacy OIDC and doing this as we implement the new OAuth MSCs
nex commented 2025-04-30 14:24:41 +00:00
Author
Owner
Copy link

see: #810

see: #810
lafleur commented 2025-05-01 23:40:47 +00:00
Copy link

Indeed ! #810 aims at letting continuwuity act as an OIDC provider. My ambition is to add the ability to forward authentication to a standard external OIDC provider (in another PR), with kanidm as a testbed. But #810 is not done yet.

I initially thought I would only implement it as a forwarder to the MAS server, but then I thought about some drawbacks :

  • each token check has to be forwarded to that server, creating latency (and attack surface)
  • that would somewhat bind continuwuity to MAS, which in turn seems to be developed along synapse

So I'm trying to focus on MSCs and OIDC compliance, aiming at a more robust feature. The OIDC authentication flow is provided by oxide-auth, which was a bit painful to get right, but is very comprehensive, and seems maintained.

Also, there are several web endpoints in the new ones provided by MSC3861, and there's going to be some user experience care needed at some point.

Indeed ! #810 aims at letting continuwuity act as an OIDC provider. My ambition is to add the ability to forward authentication to a standard external OIDC provider (in another PR), with kanidm as a testbed. But #810 is not done yet. I initially thought I would only implement it as a forwarder to the [MAS server](https://github.com/element-hq/matrix-authentication-service), but then I thought about some drawbacks : - each token check has to be forwarded to that server, creating latency (and attack surface) - that would somewhat bind continuwuity to MAS, which in turn seems to be developed along synapse So I'm trying to focus on MSCs and OIDC compliance, aiming at a more robust feature. The OIDC authentication flow is provided by [`oxide-auth`](https://docs.rs/oxide-auth), which was a bit painful to get right, but is very comprehensive, and seems maintained. Also, there are several web endpoints in the new ones provided by MSC3861, and there's going to be some user experience care needed at some point.
❤️ 1
lafleur commented 2025-05-01 23:45:02 +00:00
Copy link

BTW, I had exposed my perspective in a (migrated) github issue

BTW, I had exposed my perspective in [a (migrated) github issue](https://forgejo.ellis.link/continuwuation/continuwuity/issues/209#issuecomment-14547)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
illegal-car-mods
nex/fix-create-auth
jade/relations
jade/sec-policy-fixes
jade/msc2815
jade/syncv5-typing
jade/security-policy
nex/fix-eager-empty-sync
nex/fix-join-sync-state
jade/purge-sync-tokens
jade/logging-features
jade/ci-fix-tom
morguldir/see-eye
jade/auto-support-creation
jade/rust-toolchain-no-targets
jade/fix-knock-restricted
jade/tuwunel-2025-05
jade/css-small-screen
jade/ci-checks
jade/more-renames
nex/wip-751
jade/typos
jade/html-default-page
dahsa_uwu/axum-0.8
tcpipuk/cinny
jade/messages-more-strict-validation
jade/read-receipts
jade/announcements-checker
jade/tuwunel-ci
tuwunel-rebase
jade/enable-buildx-cache
jade/docker-ci
test
renovate/nixos-nix-2.x
renovate/smallvec-1.x-lockfile
renovate/lock-file-maintenance
renovate/axum-client-ip-1.x
renovate/rand-0.x
renovate/ctor-0.x
renovate/cargo_toml-0.x
renovate/axum-client-ip-0.x
renovate/opentelemetry-rust-monorepo
renovate/axum-monorepo
renovate/itertools-0.x
strawberry/nix-ci-stuff
strawberry/valgrind
strawberry/morgs-snake-sync-jason-main
newer-media-endpoints
folly-coroutines-async-io
federation-retry-timer-port
bad-attempt-at-extracting-homeserver-signing-key
room-deletion-attempt-do-not-use
v0.5.0-rc.5
v0.5.0-rc4
v0.5.0-rc3
v0.5.0-rc2
v0.5.0-rc
v0.4.7-rc
v0.4.6
v0.4.6-rc
v0.4.5-rc
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
Labels
Clear labels   
Bug

Something isn't working as intended

  
Cherry-picking

Commits picked from other conduit projects

  
Database

This requires or includes changes to the database

  
Dependencies

Something dependency related

  
Documentation

Improvements or additions to documentation

  
Enhancement

New feature or request

  
Good first issue

Good for newcomers

  
Help wanted

Additional eyes and keyboards are required for this one

  
Inherited

Issues that have been inhereted from the project pre-fork

  
Matrix/Administration

Features pertaining to homeserver administration

  
Matrix/Appservices

Features pertaining to the appservice API

  
Matrix/Auth

Features pertaining to authentication

  
Matrix/Client

Features pertaining to client-to-server interactions

  
Matrix/Core

   
Matrix/Federation

Features pertaining to server-to-server interactions

  
Matrix/MSC

Features pertaining to unstable matrix features

  
Matrix/Media

Features pertaining to media interactions

  
Meta

Related to housekeeping, maintenance, or other repo-meta.

  
Meta/Packaging

Packaging

  
Priority
Blocking
This issue is blocking the next release

  
Priority
High
This issue is very important

  
Priority
Low
This issue is of a rather low priority

  
Security

This item is related to general security

  
Status
Confirmed

  
Status
Duplicate
This issue or pull request already exists

  
Status
Invalid
This issue doesn't seem right

  
Status
Needs Investigation
This issue needs further investigation

  
Wont fix

This will not be worked on

  
old/ci/cd

Ci/CD

Archived

  
old/rust

Pull requests that update Rust code

Archived

No labels
Bug
Cherry-picking
Database
Dependencies
Documentation
Enhancement
Good first issue
Help wanted
Inherited
Matrix/Administration
Matrix/Appservices
Matrix/Auth
Matrix/Client
Matrix/Core
Matrix/Federation
Matrix/MSC
Matrix/Media
Meta
Meta/Packaging
Priority
Blocking
Priority
High
Priority
Low
Security
Status
Confirmed
Status
Duplicate
Status
Invalid
Status
Needs Investigation
Wont fix
old/ci/cd
old/rust
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: continuwuation/continuwuity#765
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?