From 58e5b3959dd49019aabae9621a9d866b34fb21ab Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Fri, 10 May 2024 13:13:59 +0100 Subject: [PATCH 1/2] Allow explicit configuration of OIDC dynamic registration metadata Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- docs/config.md | 40 ++++++++++++++++++++++++ src/vector/platform/ElectronPlatform.tsx | 7 +++-- 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/docs/config.md b/docs/config.md index 95972a4fa8e..e64461e5ec5 100644 --- a/docs/config.md +++ b/docs/config.md @@ -261,6 +261,46 @@ When Element is deployed alongside a homeserver with SSO-only login, some option ``` It is most common to use the `immediate` flag instead of `on_welcome_page`. +## Native OIDC + +Native OIDC support is currently in labs and is subject to change. + +Static OIDC Client IDs are preferred and can be specified under `oidc_static_clients` as a mapping from `issuer` to configuration object containing `client_id`. +Issuer must have a trailing forward slash. As an example: + +```json +{ + "oidc_static_clients": { + "https://auth.example.com/": { + "client_id": "example-client-id" + } + } +} +``` + +If a matching static client is not found, the app will attempt to dynamically register a client using metadata specified under `oidc_metadata`. +The following subproperties are available: + +1. `client_uri`: This is the base URI for the OIDC client registration, typically `logo_uri`, `tos_uri`, and `policy_uri` must be either on the same domain or a subdomain of this URI. +2. `logo_uri`: Optional URI for the client logo. +3. `tos_uri`: Optional URI for the client's terms of service. +4. `policy_uri`: Optional URI for the client's privacy policy. +5. `contacts`: Optional list of contact emails for the client. + +As an example: + +```json +{ + "oidc_metadata": { + "client_uri": "https://example.com", + "logo_uri": "https://example.com/logo.png", + "tos_uri": "https://example.com/tos", + "policy_uri": "https://example.com/policy", + "contacts": ["support@example.com"] + } +} +``` + ## VoIP / Jitsi calls Currently, Element uses Jitsi to offer conference calls in rooms, with an experimental Element Call implementation in the works. diff --git a/src/vector/platform/ElectronPlatform.tsx b/src/vector/platform/ElectronPlatform.tsx index dddf73ae074..bd43456d0de 100644 --- a/src/vector/platform/ElectronPlatform.tsx +++ b/src/vector/platform/ElectronPlatform.tsx @@ -446,13 +446,16 @@ export default class ElectronPlatform extends VectorBasePlatform { return (SdkConfig.get() as unknown as Record)["web_base_url"] ?? "https://app.element.io"; } + public get defaultOidcClientUri(): string { + // Default to element.io as our scheme `io.element.desktop` is within its scope on default MAS policies + return "https://element.io"; + } + public async getOidcClientMetadata(): Promise { const baseMetadata = await super.getOidcClientMetadata(); return { ...baseMetadata, applicationType: "native", - // XXX: This should be overridable in config - clientUri: "https://element.io", }; } From 7a3bc83a554347f83d8b53064c0461181c264e41 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Tue, 14 May 2024 10:32:55 +0100 Subject: [PATCH 2/2] Add comment Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- docs/config.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/config.md b/docs/config.md index e64461e5ec5..1f6bbabd20f 100644 --- a/docs/config.md +++ b/docs/config.md @@ -279,6 +279,7 @@ Issuer must have a trailing forward slash. As an example: ``` If a matching static client is not found, the app will attempt to dynamically register a client using metadata specified under `oidc_metadata`. +The app has sane defaults for the metadata properties below but on stricter policy identity providers they may not pass muster, e.g. `contacts` may be required. The following subproperties are available: 1. `client_uri`: This is the base URI for the OIDC client registration, typically `logo_uri`, `tos_uri`, and `policy_uri` must be either on the same domain or a subdomain of this URI.