continuwuation/continuwuity
continuwuation/continuwuity
13
35
Fork 34
Code Issues 103 Pull requests 19 Releases 20 Packages 3 Activity Actions

WIP: act as a Matrix OIDC auth provider #810

Draft
lafleur wants to merge 59 commits from lafleur/continuwuity:as-oidc-provider into main
pull from: lafleur/continuwuity:as-oidc-provider
merge into: continuwuation:main
Conversation 43 Commits 59 Files changed 45 +2744 -8

59 commits

Author SHA1 Message Date
lafleur
f4d558283d add some docstrings
Some checks failed
Documentation / Build and Deploy Documentation (pull_request) Has been skipped
Details
Checks / Prek / Pre-commit & Formatting (pull_request) Failing after 2m45s
Details
Update flake hashes / update-flake-hashes (pull_request) Successful in 12s
Details
Checks / Prek / Clippy and Cargo Tests (pull_request) Failing after 18m26s
Details
2025-11-28 20:22:47 +00:00
lafleur
a2e8db08e5 update TODO tags 2025-11-28 20:22:47 +00:00
lafleur
68ed358810 move OidcEndpoint to its separate source file 2025-11-28 20:22:47 +00:00
lafleur
44171bdd31 chore: run cargo fmt 2025-11-28 20:22:47 +00:00
lafleur
34f29e4d38 add docstrings 2025-11-28 20:22:47 +00:00
lafleur
9a26095709 OidcIssuer: add debug logs 2025-11-28 20:22:47 +00:00
lafleur
35bf32842f remove failing and useless test 2025-11-28 20:22:47 +00:00
lafleur
f4a3b681c3 chore: run cargo +nightly fmt 2025-11-28 20:22:47 +00:00
lafleur
ff7c8d9492 move endpoint to oidc crate, reorganize 2025-11-28 20:22:47 +00:00
lafleur
9c58a47fe9 typos 2025-11-28 20:22:47 +00:00
lafleur
3ee74d975a chore: run cargo +nightly fmt 2025-11-28 20:22:47 +00:00
lafleur
8c3f64f31b OIDC: use async auth flows 2025-11-28 20:22:47 +00:00
lafleur
b1fc6d666b chore: cargo +nightly fmt 2025-11-28 20:22:47 +00:00
lafleur
a49eb3c968 OIDC: reimplement using rocksdb and oxide-auth-async 
devices and their tokens use the global registries and services::users commands,
and some db registries are added :
- clientid_oidcclient (stores OIDC client details)
- oidcdeviceid_grant (stores oxide-auth grant details)
- refreshtoken_userdeviceidexpiresat (stores refresh tokens' expiry date)
- userdeviceid_oidcdevice (stores OIDC device details)

This implementation lacks the owner consent dialog. This will be addressed in
a future commit.
 2025-11-28 20:22:47 +00:00
lafleur
69d6227952 OIDC: improve web templates 
- fixes CSP issues with localhost
- better consent message
-use askama urlencode_strict
 2025-11-28 20:22:47 +00:00
lafleur
38c147378b registrar: fix error type on deser error 2025-11-28 20:22:47 +00:00
lafleur
41b02cdff2 impl persistent tokens + MSC4254 (token revoke) 
adds an "issuer_secret" to config.auth that lets the issuer persist tokens
between continuwuity restarts
 2025-11-28 20:22:47 +00:00
Ginger
2335c26985 chore: Update Cargo.lock 2025-11-28 20:22:47 +00:00
Ginger
a101f0e6b0 chore: Fix template EOFs 2025-11-28 20:22:47 +00:00
Ginger
dd22deac89 chore: Clippy and formatting 2025-11-28 20:22:47 +00:00
lafleur
6936aed79d fix accidental project name regression 2025-11-28 20:22:47 +00:00
lafleur
3f3c7090ec OIDC: fix build after rebase 2025-11-28 20:22:47 +00:00
lafleur
6ac7cac9d5 OIDC: impl client_registrar over db (sync impl) 2025-11-28 20:22:47 +00:00
lafleur
90af00bc37 OIDC auth flow: correct device registration 2025-11-28 20:22:47 +00:00
lafleur
8755bf6c74 OIDC private clients: correct client secret 2025-11-28 20:22:47 +00:00
lafleur
e2d972c460 unlimit log levels and update Cargo.lock 2025-11-28 20:22:47 +00:00
lafleur
4d7f036ae4 oidc: implement registering devices 2025-11-28 20:22:47 +00:00
lafleur
189a1f62d8 WIP: show discrepancy between device_id and client_id 2025-11-28 20:22:47 +00:00
lafleur
504ee314c4 add services::oidc::user_and_device_from_token(), use in auth 2025-11-28 20:22:47 +00:00
lafleur
0c2c5b4c5c OIDC: embed user_id in consent 2025-11-28 20:22:47 +00:00
lafleur
b4470e7db6 web::login: add form-data CSP rules for localhost 2025-11-28 20:22:47 +00:00
lafleur
8850cf117a add some OIDC docstrings 2025-11-28 20:22:47 +00:00
lafleur
523298e1c8 fix oxide-auth's redirect_uri comparison 
oxide-auth's `RegisteredUrl::IgnorePortOnLocalhost` doesn't work when the host is 127.0.0.1 or [::1].
This commit lets the authentication process translate the host. The new registrar already supports this.
 2025-11-28 20:22:47 +00:00
lafleur
86a678c7c5 basic OIDC client registrar with auth tracing 2025-11-28 20:22:47 +00:00
lafleur
43c65a62bc OIDC: make response_mode optional 
Fractal omits the `response_mode` field when in an auth flow (its value must be
the literal "S256", so it's mainly here for OIDC compliance I guess). Accepting
this lets it proceed to the next authentication step.
 2025-11-28 20:22:47 +00:00
lafleur
570d7853c4 support OIDC private clients 2025-11-28 20:22:47 +00:00
lafleur
4617f523b6 oidc: add debug/trace logs 2025-11-28 20:22:47 +00:00
lafleur
f791fef744 oidc authorize: make response_mode optional 2025-11-28 20:22:47 +00:00
lafleur
b8ccca8361 fix build warning : explicit cast 2025-11-28 20:22:47 +00:00
nexy7574
8df83b4e1e fix build errors 2025-11-28 20:22:47 +00:00
Jade Ellis
c5a1c07453 fixup! fix OidcResponse: reimplement IntoResponse 2025-11-28 20:22:47 +00:00
lafleur
0d72140b81 fix OidcResponse: reimplement IntoResponse 2025-11-28 20:22:47 +00:00
Jade Ellis
772ab6b553 chore: fix up 2025-11-28 20:22:47 +00:00
lafleur
2eac357670 oidc: small cosmetics + typos 2025-11-28 20:22:47 +00:00
lafleur
5f54e54662 remove stale debugging logs 
I don't have the hd space to do debug builds, so I use tracing::info to debug
on release builds. Silly, right ?
 2025-11-28 20:22:47 +00:00
lafleur
5c607e0e88 use config.server_name as title in OIDC pages 2025-11-28 20:22:47 +00:00
lafleur
1e3fa11a65 fix oidc_provider discovery message and docstrings 2025-11-28 20:22:47 +00:00
lafleur
c101b7b7fd typos oidc_provider discovery 2025-11-28 20:22:47 +00:00
lafleur
57aea334a5 fix oidc_provider config section's doc generation 2025-11-28 20:22:47 +00:00
Jade Ellis
4e0b6c57f8 fix: Don't crash when the client URL doesn't have a domain 
Having a URL with an IP literal, for example, is allowed
 2025-11-28 20:22:47 +00:00
Jade Ellis
bd55afb9e6 fix: Use correct CSP for login page 2025-11-28 20:22:47 +00:00
Jade Ellis
92563b1985 chore: Ignore formatting PR in blame 2025-11-28 20:22:47 +00:00
Jade Ellis
ac1022dfed chore: Fix most clippy issue, format & typos 2025-11-28 20:22:47 +00:00
lafleur
f26ffa406e remove stale dependency oxide-auth-axum 2025-11-28 20:22:47 +00:00
lafleur
d6b01d3658 feat(oidc_provider) use askama templates 
Implements a custom OidcResponse with CSP headers and oxide-auth processing
compatibility.
 2025-11-28 20:22:47 +00:00
lafleur
7f286e26bf rebase on current main 2025-11-28 20:22:47 +00:00
lafleur
fe4e27d89e impl MSC2966: register clients dynamically 2025-11-28 20:22:47 +00:00
lafleur
06077daf0d impl MSC2964: OIDC token flow 2025-11-28 20:22:47 +00:00
lafleur
486155da63 impl MSC2965: self-advertise as OIDC authentication provider 
MSC2965 proposes to let the homeserver advertise its current OIDC authentication
issuer. These changes let conduwuit advertise itself as the issuer when
[global.auth.enable_oidc_login] is set. It also advertises its account management
endpoint if [global.auth.enable_oidc_account_management] is set.

None of these endpoints are implemented. This commit only implements the bare
advertisement, as requested by the MSC.
 2025-11-28 20:22:47 +00:00