9f983fe057
WIP: show discrepancy between device_id and client_id
Documentation / Build and Deploy Documentation (pull_request) Has been cancelled
Checks / Prefligit / prefligit (pull_request) Has been cancelled
2025-08-12 20:41:11 +02:00
c4229509d9
add services::oidc::user_and_device_from_token(), use in auth
2025-08-12 20:30:58 +02:00
c059dbb337
OIDC: embed user_id in consent
2025-08-12 14:20:32 +02:00
a536bc4c97
web::login: add form-data CSP rules for localhost
2025-08-12 14:20:13 +02:00
50c6f32ce8
add some OIDC docstrings
2025-08-12 14:20:03 +02:00
2784eec60a
fix oxide-auth's redirect_uri comparison
...
oxide-auth's `RegisteredUrl::IgnorePortOnLocalhost` doesn't work when the host is 127.0.0.1 or [::1].
This commit lets the authentication process translate the host. The new registrar already supports this.
2025-08-12 14:19:51 +02:00
6d9aee4d9f
basic OIDC client registrar with auth tracing
2025-08-12 14:19:37 +02:00
696adfc90b
OIDC: make response_mode optional
...
Fractal omits the `response_mode` field when in an auth flow (its value must be
the literal "S256", so it's mainly here for OIDC compliance I guess). Accepting
this lets it proceed to the next authentication step.
2025-08-12 14:18:19 +02:00
511e60b41d
support OIDC private clients
2025-08-12 14:17:32 +02:00
14f6d07b27
oidc: add debug/trace logs
2025-08-12 12:26:23 +02:00
98c7795982
oidc authorize: make response_mode optional
2025-08-12 12:26:17 +02:00
6cc854ac76
fix build warning : explicit cast
2025-08-12 11:58:13 +02:00
aa206e4f90
fix build errors
Documentation / Build and Deploy Documentation (pull_request) Failing after 0s
Checks / Prefligit / prefligit (pull_request) Failing after 23s
2025-07-02 02:02:17 +01:00
a71a8e0c6d
fixup! fix OidcResponse: reimplement IntoResponse
2025-07-02 02:02:17 +01:00
fbf190b5d9
fix OidcResponse: reimplement IntoResponse
2025-07-02 02:02:17 +01:00
766dba889b
chore: fix up
2025-07-02 02:02:16 +01:00
0fbe9b95de
oidc: small cosmetics + typos
2025-07-02 02:02:16 +01:00
68b6a02f29
remove stale debugging logs
...
I don't have the hd space to do debug builds, so I use tracing::info to debug
on release builds. Silly, right ?
2025-07-02 02:02:16 +01:00
dd2d08d3b1
use config.server_name as title in OIDC pages
2025-07-02 02:02:16 +01:00
a0f4afe1a9
fix oidc_provider discovery message and docstrings
2025-07-02 02:02:15 +01:00
66f37b30a4
typos oidc_provider discovery
2025-07-02 02:02:15 +01:00
e705f006cd
fix oidc_provider config section's doc generation
2025-07-02 02:02:15 +01:00
1c4b53f516
fix: Don't crash when the client URL doesn't have a domain
...
Having a URL with an IP literal, for example, is allowed
2025-07-02 02:02:15 +01:00
30954c7f13
fix: Use correct CSP for login page
2025-07-02 02:02:14 +01:00
042657804b
chore: Ignore formatting PR in blame
2025-07-02 02:02:11 +01:00
d7b48a0f7c
chore: Fix most clippy issue, format & typos
2025-07-02 02:01:53 +01:00
67e5869e43
remove stale dependency oxide-auth-axum
2025-07-02 02:01:52 +01:00
fa9b8869b6
feat(oidc_provider) use askama templates
...
Implements a custom OidcResponse with CSP headers and oxide-auth processing
compatibility.
2025-07-02 02:01:50 +01:00
3417ac2487
rebase on current main
2025-07-02 02:01:45 +01:00
eb4c6f9d13
impl MSC2966: register clients dynamically
2025-07-02 02:01:43 +01:00
5ab7b61129
impl MSC2964: OIDC token flow
...
# Conflicts:
# Cargo.lock
2025-07-02 02:01:40 +01:00
db3a2dc468
impl MSC2965: self-advertise as OIDC authentication provider
...
MSC2965 proposes to let the homeserver advertise its current OIDC authentication
issuer. These changes let conduwuit advertise itself as the issuer when
[global.auth.enable_oidc_login] is set. It also advertises its account management
endpoint if [global.auth.enable_oidc_account_management] is set.
None of these endpoints are implemented. This commit only implements the bare
advertisement, as requested by the MSC.
2025-07-02 02:01:31 +01:00
