Add support for delegated authentication with OIDC #1886
Labels
No labels
Abandoned
Blocked
Bug
Changelog
Added
Changelog
Missing
Changelog
None
Cherry-picking
Database
Dependencies
Dependencies/Renovate
Difficulty
Easy
Difficulty
Hard
Difficulty
Medium
Documentation
Enhancement
Good first issue
Help wanted
Inherited
Matrix/Administration
Matrix/Appservices
Matrix/Auth
Matrix/Client
Matrix/Core
Matrix/E2EE
Matrix/Federation
Matrix/Hydra
Matrix/MSC
Matrix/Media
Matrix/T&S
Merge
Merge/Manual
Merge/Squash
Meta
Meta/CI
Meta/Packaging
Priority
Blocking
Priority
High
Priority
Low
Security
Status
Confirmed
Status
Duplicate
Status
Invalid
Status
Needs Investigation
Support
No project
No assignees
4 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
continuwuation/continuwuity!1886
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "ginger/oidc"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This pull request adds support for delegating authentication to an external identity provider using OIDC. Only clients that natively support OAuth login can use this feature.
Closes #765.
Pull request checklist:
mainbranch, and the branch is named something other thanmain.myself, if applicable. This includes ensuring code compiles.
c604e80f809008341b109008341b10c8c629fce66c381e7b69b1e46ad667WIP: Add support for delegated authentication with OIDCto Add support for delegated authentication with OIDCreview 1
@ -54,15 +54,22 @@ impl Service {async fn set_emergency_access(&self) -> Result {let server_user = &self.services.globals.server_user;Both methods here will fail if the server_user doesn't exist, ie on a fresh database
Creating the admin room and server user is done as part of creating a fresh database, so this can never fail
@ -821,0 +849,4 @@assert!(hash.is_empty(), "non-empty hash {hash} for remote user {user_id}");remoteuserid_remoteuser.insert(&user_id, "");userid_password.remove(&user_id);Uh, are we allowed to mutate the table while streaming it? feels sus
Yes, rocksdb iterators create a snapshot of the column. Other migrations also do this.
@ -0,0 +302,4 @@} else {return Ok(SessionCompletionStatus::NeedsUserId);}} else if let Some(preferred_username) = all_claims.get(&config.preferred_username_claim)Perform the unwrapping for preferred_username being a string here, to avoid panicking on unexpected data
d4b14ce359f57485b8b76cbf092170a5ee1fb009hello :o ! Very excited for the oidc work thank y'all for this incredible piece of software !
I just wanted to point that there should probably be a client_secret_file in the config, as is done for the other secrets to ease its declaration in nixos/ansible types of setup where the repo might be public and the secret would be in an external file !
@LyesSaadi wrote in #1886 (comment):
I've added a config option to do that, thank you for the suggestion!
af29d7d1f0514c3bbcbfok