Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSC3824: OIDC aware clients #3824

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

MSC3824: OIDC aware clients #3824

wants to merge 17 commits into from

Conversation

hughns
Copy link
Member

@hughns hughns commented May 24, 2022

Rendered

  • Spec is feature complete
  • Reviewed for consistency with MSC3861
  • Implementations believed to be complete enough

Dependencies:

Servers

Clients

@hughns hughns changed the title Add an optional query parameter to SSO redirect MSC3824: Add an optional query parameter to SSO redirect May 24, 2022
@hughns hughns changed the title MSC3824: Add an optional query parameter to SSO redirect MSC3824: Add optional action= query parameter to SSO redirect May 24, 2022
@hughns hughns changed the title MSC3824: Add optional action= query parameter to SSO redirect MSC3824: Login/register indication on SSO redirect May 24, 2022
@uhoreg uhoreg added proposal A matrix spec change proposal client-server Client-Server API needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. kind:maintenance MSC which clarifies/updates existing spec labels May 24, 2022
@hughns

This comment was marked as duplicate.

@turt2live
Copy link
Member

(implementation nor the MSC have been sufficiently reviewed to remove the label - when someone on the SCT is comfortable with where things are at, they'll remove the label. Personally, I haven't gotten as far as deciding if I'm comfortable with it 😅)

@sandhose
Copy link
Member

sandhose commented May 25, 2022

I think an important part of this would also be to be able to advertise what actions are available with each login method, e.g.

{
  "flows": [{
    "type": "m.login.password",
    "actions": ["login"],
  }, {
    "type": "m.login.sso",
    "actions": ["login", "register"]
  }]
}

This would allow clients to properly display what's really available for each login method

hughns and others added 2 commits May 25, 2022 11:13
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
@hughns hughns changed the title MSC3824: Login/register indication on SSO redirect MSC3824: Ability to distinguish between login and registration May 30, 2022
@hughns
Copy link
Member Author

hughns commented May 31, 2022

I've had an initial go at Synapse support in matrix-org/synapse#12924.

Matrix Authentication Service support within it's compatibility layer is in matrix-org/matrix-authentication-service#221

@hughns hughns changed the title MSC3824: Ability to distinguish between login and registration MSC3824: OIDC aware clients Jun 15, 2022
@hughns
Copy link
Member Author

hughns commented Feb 3, 2023

The Web support has been merged so I think that this is ready for review. Android implementation is done too but not yet merged.

@hughns hughns marked this pull request as ready for review February 3, 2023 09:42
@turt2live turt2live added the matrix-2.0 Required for Matrix 2.0 label Mar 3, 2023
Comment on lines +46 to +49
Add an optional query parameter `action` to `GET /_matrix/client/v3/login/sso/redirect` and `GET /_matrix/client/v3/login/sso/redirect/{idpId}` with meaning:

- `login` - the SSO redirect is for the purposes of signing an existing user in
- `register` - the SSO redirect is for the purpose of registering a new user account
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'm missing something -- how would the client know whether it is logging in or registering?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The user would have told the client if they already have a Matrix account or not.

For example, by clicking buttons labelled as such.

For an OIDC enabled homeserver to provide support for *OIDC aware* clients it would:

- support OIDC delegation as per [MSC2964](https://github.com/matrix-org/matrix-spec-proposals/pull/2964) and others
- provide a compatibility layer for `m.login.password` and `m.login.sso` that wraps on to OIDC
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it defined how m.login.password an be wrapped into OIDC? I guess doing the login itself?

- support OIDC delegation as per [MSC2964](https://github.com/matrix-org/matrix-spec-proposals/pull/2964) and others
- provide a compatibility layer for `m.login.password` and `m.login.sso` that wraps on to OIDC
- indicate that the `m.login.sso` is preferred by setting `delegated_oidc_compatibility` to `true`
- make use of the `action` param on the SSO redirect endpoints
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make use of it to do what?

Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
client-server Client-Server API kind:maintenance MSC which clarifies/updates existing spec matrix-2.0 Required for Matrix 2.0 needs-implementation This MSC does not have a qualifying implementation for the SCT to review. The MSC cannot enter FCP. proposal A matrix spec change proposal
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants