Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Native OIDC #2079

Open
liamdiprose opened this issue Dec 3, 2024 · 4 comments
Open

Native OIDC #2079

liamdiprose opened this issue Dec 3, 2024 · 4 comments

Comments

@liamdiprose
Copy link

liamdiprose commented Dec 3, 2024

Describe the problem

Matrix is adopting OpenID Connect (OIDC) for authentication so clients will need to implement "Native OIDC".

Describe the solution you'd like

This means Cinny will need to:

  • implement the single-sign-on (sso) login flow with a OIDC authorization server, and
  • use the resulting access token in the Authorization header of Matrix API requests.

Alternatives considered

No response

Additional context

I have some experience implementing these flows so can provide assistance. However I think it would be best if a maintainer integrates the feature into the codebase.

There's a good overview of the process here: https://areweoidcyet.com/client-implementation-guide/

@kfiven
Copy link
Collaborator

kfiven commented Dec 3, 2024

https://synapse-oidc.element.dev as a server seems to work already or is there something else more needed to implement Native OIDC?

@liamdiprose
Copy link
Author

liamdiprose commented Dec 3, 2024

Hi @kfiven,

I've opted into MSC3861 which changes synapse's auth system to OIDC in my homeserver.yaml:

experimental_features:
  msc3861:
    enabled: true
    client_id: _oidc_client_id_
    client_secret: _oidc_client_secret_
    issuer: https://_oidc_hostname_

Now synapse responds to /login/* requests with 404.

To help migration, the Matrix maintainers have released the matrix-authentication-service (MAS) to translate the issuer into the old /login response (1). I guess this is what https://synapse-oidc.element.dev is doing.

The matrix maintainers stated in the Matrix 2 announcement that they plan to decommission MAS on matrix.org soon. Given the choice, I'd much rather add native OIDC behaviour to Cinny than get MAS working.

At the moment, Cinny only requests the /login route and I don't see the request to discover the OIDC issuer:

GET https://synapse-oidc.element.dev/_matrix/client/unstable/org.matrix.msc2965/auth_issuer

Using that response, Cinny needs to construct it's own OIDC redirect URL and handle when the OIDC server redirects the user's browser back to Cinny. The redirect URL will contain a code which Cinny can then exchange with the OIDC server for an access token.

I'm happy to help if you have any questions with regards to the OIDC redirect login flow.

@jtrees
Copy link

jtrees commented Jan 7, 2025

If I understand the recent blogpost correctly, this will be the only way to authenticate on matrix.org after February 10 (barely a month away).

So this may be a high priority issue.

@liamdiprose
Copy link
Author

Thanks for sharing that blogpost, its nice to get some clarity on the situation:

Developers can already use beta.matrix.org to see if their clients are compatible with MAS. If you notice anything that doesn't work as intended, make sure to give your feedback on those MSCs. If clients work on beta.matrix.org, they will be able to connect to matrix.org after the rollout.

Based on our discussion above, Cinny should continue to work after Feb 10.

However, I believe the intention is to decommission MAS once enough clients perform the OIDC sign-in flow themselves (Native OIDC).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants