-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC: Log in #25392
Comments
Closed
andybalaam
changed the title
OIDC: Discover that homeserver supports OIDC using .well-known
OIDC: Log in
May 25, 2023
3 tasks
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Support login via native OIDC in Element Web. Refer to https://areweoidcyet.com/client-implementation-guide/ for guidance. (You will need to find out what OIDC is before you can understand it.)
You will almost certainly need to break this story up into smaller parts before implementing it.
Background
Discovering homeserver support
Currently, Element Web is an "OIDC-aware" client, which means it has some slight alterations to its existing SSO login flow that make OIDC work a little better, but it doesn't take full advantage of OIDC.
Currently, to discover that a homeserver supports OIDC, we examine the list of available login flows (see Login.ts) and if we find a OIDC one masquerading as an SSO flow, we only display that.
Instead of this, before we ask the homeserver what flows it supports, we should check the
.well-known
info we have back from the homeserver, and if it contains them.authentication
section with the info we need as described in MSC2965, then use that to find what we need.This means we must fetch another
.well-known
file from theissuer
we got from them.authentication
server, and look inside that for theauthorization_endpoint
. Now, I (@andybalaam) think we have what we need to delegate directly to the authorization endpoint without asking the homeserver what auth flows it supports. This means we can jump directly to redirecting to that endpoint, somewhere near BasePlatform.ts startSingleSignOn.The guiding MSC for this work is MSC2964, but the specifics you need here are in MSC2965.
I suspect the changes will be limited to Login.ts, BasePlatform.ts and nearby code. (But I am not certain -- @andybalaam)
This part corresponds to the first Requirement of OIDC Native clients - "Discovery of OP in /.well-known/matrix/client". Refer to the Client Implementation Guide for more info. It may also correspond to the second part - I'm not sure which Web UI is meant there - the login one or something else (e.g. signup or administration).
Dynamic and static client registration
We should support both dynamic and static client registration. See "Discovery and client registration" in https://areweoidcyet.com/client-implementation-guide/
Subtasks
The text was updated successfully, but these errors were encountered: