continuwuation/continuwuity
continuwuation/continuwuity
12
41
Fork 41
Code Issues 93 Pull requests 19 Releases 24 Packages 3 Activity Actions

WIP: act as a Matrix OIDC auth provider #810

Draft
lafleur wants to merge 60 commits from lafleur/continuwuity:as-oidc-provider into main
pull from: lafleur/continuwuity:as-oidc-provider
merge into: continuwuation:main
Conversation 46 Commits 60 Files changed 45 +2744 -8

60 commits

Author SHA1 Message Date
timedout
1340251362
 		chore: Fixup (satisfy CI)
Some checks failed
Documentation / Build and Deploy Documentation (pull_request) Has been skipped
Details
Update flake hashes / update-flake-hashes (pull_request) Successful in 13s
Details
Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 2m11s
Details
Checks / Prek / Clippy and Cargo Tests (pull_request) Failing after 11m47s
Details
2025-12-10 21:56:23 +00:00
lafleur
4dc537379d add some docstrings
Some checks failed
Documentation / Build and Deploy Documentation (pull_request) Has been skipped
Details
Update flake hashes / update-flake-hashes (pull_request) Successful in 13s
Details
Checks / Prek / Clippy and Cargo Tests (pull_request) Has been cancelled
Details
Checks / Prek / Pre-commit & Formatting (pull_request) Has been cancelled
Details
2025-12-10 21:54:48 +00:00
lafleur
b692f61c31 update TODO tags 2025-12-10 21:54:48 +00:00
lafleur
3f02d1c0ff move OidcEndpoint to its separate source file 2025-12-10 21:54:48 +00:00
lafleur
e6d9acd49f chore: run cargo fmt 2025-12-10 21:54:48 +00:00
lafleur
2aa2a80481 add docstrings 2025-12-10 21:54:48 +00:00
lafleur
bfb162c907 OidcIssuer: add debug logs 2025-12-10 21:54:48 +00:00
lafleur
90443f09b2 remove failing and useless test 2025-12-10 21:54:48 +00:00
lafleur
99720a4298 chore: run cargo +nightly fmt 2025-12-10 21:54:48 +00:00
lafleur
7918ff07c8 move endpoint to oidc crate, reorganize 2025-12-10 21:54:48 +00:00
lafleur
f5826b5b84 typos 2025-12-10 21:54:48 +00:00
lafleur
578d44672b chore: run cargo +nightly fmt 2025-12-10 21:54:48 +00:00
lafleur
70cdb5f865 OIDC: use async auth flows 2025-12-10 21:54:48 +00:00
lafleur
605be506d2 chore: cargo +nightly fmt 2025-12-10 21:54:48 +00:00
lafleur
984b7c5668 OIDC: reimplement using rocksdb and oxide-auth-async 
devices and their tokens use the global registries and services::users commands,
and some db registries are added :
- clientid_oidcclient (stores OIDC client details)
- oidcdeviceid_grant (stores oxide-auth grant details)
- refreshtoken_userdeviceidexpiresat (stores refresh tokens' expiry date)
- userdeviceid_oidcdevice (stores OIDC device details)

This implementation lacks the owner consent dialog. This will be addressed in
a future commit.
 2025-12-10 21:54:48 +00:00
lafleur
d6317af611 OIDC: improve web templates 
- fixes CSP issues with localhost
- better consent message
-use askama urlencode_strict
 2025-12-10 21:54:48 +00:00
lafleur
568853b900 registrar: fix error type on deser error 2025-12-10 21:54:48 +00:00
lafleur
dab89d561c impl persistent tokens + MSC4254 (token revoke) 
adds an "issuer_secret" to config.auth that lets the issuer persist tokens
between continuwuity restarts
 2025-12-10 21:54:48 +00:00
Ginger
9461fb18f4 chore: Update Cargo.lock 2025-12-10 21:54:48 +00:00
Ginger
77422cebbb chore: Fix template EOFs 2025-12-10 21:54:48 +00:00
Ginger
9a133ba7ee chore: Clippy and formatting 2025-12-10 21:54:48 +00:00
lafleur
72879daf28 fix accidental project name regression 2025-12-10 21:54:48 +00:00
lafleur
418b5d8a5f OIDC: fix build after rebase 2025-12-10 21:54:48 +00:00
lafleur
9c475b2992 OIDC: impl client_registrar over db (sync impl) 2025-12-10 21:54:48 +00:00
lafleur
0f03909b19 OIDC auth flow: correct device registration 2025-12-10 21:54:48 +00:00
lafleur
f37f169934 OIDC private clients: correct client secret 2025-12-10 21:54:48 +00:00
lafleur
0258fd3fa4 unlimit log levels and update Cargo.lock 2025-12-10 21:54:48 +00:00
lafleur
6818cf462b oidc: implement registering devices 2025-12-10 21:54:48 +00:00
lafleur
2b13a2c603 WIP: show discrepancy between device_id and client_id 2025-12-10 21:54:48 +00:00
lafleur
df290c1013 add services::oidc::user_and_device_from_token(), use in auth 2025-12-10 21:54:48 +00:00
lafleur
534aabe3f7 OIDC: embed user_id in consent 2025-12-10 21:54:48 +00:00
lafleur
db3c7abe3a web::login: add form-data CSP rules for localhost 2025-12-10 21:54:48 +00:00
lafleur
ad37af26b8 add some OIDC docstrings 2025-12-10 21:54:48 +00:00
lafleur
592c06f738 fix oxide-auth's redirect_uri comparison 
oxide-auth's `RegisteredUrl::IgnorePortOnLocalhost` doesn't work when the host is 127.0.0.1 or [::1].
This commit lets the authentication process translate the host. The new registrar already supports this.
 2025-12-10 21:54:48 +00:00
lafleur
69bffe2894 basic OIDC client registrar with auth tracing 2025-12-10 21:54:48 +00:00
lafleur
05b04526c7 OIDC: make response_mode optional 
Fractal omits the `response_mode` field when in an auth flow (its value must be
the literal "S256", so it's mainly here for OIDC compliance I guess). Accepting
this lets it proceed to the next authentication step.
 2025-12-10 21:54:48 +00:00
lafleur
8df5647346 support OIDC private clients 2025-12-10 21:54:48 +00:00
lafleur
ffbed9835e oidc: add debug/trace logs 2025-12-10 21:54:48 +00:00
lafleur
d8e2cce6da oidc authorize: make response_mode optional 2025-12-10 21:54:48 +00:00
lafleur
0231659d5c fix build warning : explicit cast 2025-12-10 21:54:48 +00:00
nexy7574
82279aed73 fix build errors 2025-12-10 21:54:48 +00:00
Jade Ellis
06072080c0 fixup! fix OidcResponse: reimplement IntoResponse 2025-12-10 21:54:48 +00:00
lafleur
d96ddf5cb1 fix OidcResponse: reimplement IntoResponse 2025-12-10 21:54:48 +00:00
Jade Ellis
48e283d86d chore: fix up 2025-12-10 21:54:48 +00:00
lafleur
a5925327fd oidc: small cosmetics + typos 2025-12-10 21:54:48 +00:00
lafleur
fcabdac87e remove stale debugging logs 
I don't have the hd space to do debug builds, so I use tracing::info to debug
on release builds. Silly, right ?
 2025-12-10 21:54:48 +00:00
lafleur
6dbfef5b62 use config.server_name as title in OIDC pages 2025-12-10 21:54:48 +00:00
lafleur
d284dffc47 fix oidc_provider discovery message and docstrings 2025-12-10 21:54:48 +00:00
lafleur
11d3855fa7 typos oidc_provider discovery 2025-12-10 21:54:48 +00:00
lafleur
f6c5231fb6 fix oidc_provider config section's doc generation 2025-12-10 21:54:48 +00:00
Jade Ellis
5a48ce44bb fix: Don't crash when the client URL doesn't have a domain 
Having a URL with an IP literal, for example, is allowed
 2025-12-10 21:54:48 +00:00
Jade Ellis
25f051b1d8 fix: Use correct CSP for login page 2025-12-10 21:54:48 +00:00
Jade Ellis
8991d3935d chore: Ignore formatting PR in blame 2025-12-10 21:54:48 +00:00
Jade Ellis
b4f9dc35c1 chore: Fix most clippy issue, format & typos 2025-12-10 21:54:48 +00:00
lafleur
fa9424f8e6 remove stale dependency oxide-auth-axum 2025-12-10 21:54:48 +00:00
lafleur
0766b628ee feat(oidc_provider) use askama templates 
Implements a custom OidcResponse with CSP headers and oxide-auth processing
compatibility.
 2025-12-10 21:54:48 +00:00
lafleur
08f536c335 rebase on current main 2025-12-10 21:54:48 +00:00
lafleur
eb06fa1a85 impl MSC2966: register clients dynamically 2025-12-10 21:54:48 +00:00
lafleur
650108ac81 impl MSC2964: OIDC token flow 2025-12-10 21:54:48 +00:00
lafleur
4fb7cf0eee impl MSC2965: self-advertise as OIDC authentication provider 
MSC2965 proposes to let the homeserver advertise its current OIDC authentication
issuer. These changes let conduwuit advertise itself as the issuer when
[global.auth.enable_oidc_login] is set. It also advertises its account management
endpoint if [global.auth.enable_oidc_account_management] is set.

None of these endpoints are implemented. This commit only implements the bare
advertisement, as requested by the MSC.
 2025-12-10 21:54:48 +00:00