Etude : OpenID dans Tchap iOS

[NicolasBuquet]

Analyser l'usage de OpenID Connect dans le code de Tchap :

• lister les modules et méthodes concernées
• lister les dépendances au back-end
• lister les appels demandant un token OpenID

[NicolasBuquet]

Dans le Matrix SDK

Classe MXIdentityServerRestClient :

#pragma mark Authentication

/**
 Register with an identity server using the OpenID token from the user's homeserver (v2 API).

 @param openIdToken The OpenID token from an homeserver.
 @param success A block object called when the operation succeeds. It provides the user access token for the identity server.
 @param failure A block object called when the operation fails.
 
 @return a MXHTTPOperation instance.
 */
- (MXHTTPOperation*)registerWithOpenIdToken:(MXOpenIdToken*)openIdToken
                                    success:(void (^)(NSString *accessToken))success
                                    failure:(void (^)(NSError *error))failure;


/**
 Gets information about the token's owner, such as the user ID for which it belongs.

 @param success A block object called when the operation succeeds. It provides the user ID which was represented in the OpenID object provided to /register.
 @param failure A block object called when the operation fails.
 
 @return a MXHTTPOperation instance.
 */
- (MXHTTPOperation*)accountWithSuccess:(void (^)(NSString *userId))success
                               failure:(void (^)(NSError *error))failure;

Path appelé sur le back-end : _matrix/identity/v2/account/register

Classe MXIdentityService:

La méthode suivante nécessite un openID token pour demander un nouvel access token.

- (MXHTTPOperation*)renewAccessTokenWithSuccess:(void (^)(NSString*))success failure:(void (^)(NSError *))failure
{
    if (!self.homeserverRestClient)
    {
        NSError *error = [NSError errorWithDomain:@"MXIdentityService" code:0 userInfo:nil];
        failure(error);
        return nil;
    }
    
    MXHTTPOperation *operation;
    
    MXWeakify(self);
    
    operation = [self.homeserverRestClient openIdToken:^(MXOpenIdToken *tokenObject) {
        
        MXStrongifyAndReturnIfNil(self);
        
        MXHTTPOperation *operation2 = [self.restClient registerWithOpenIdToken:tokenObject success:^(NSString * _Nonnull accessToken) {
            
            success(accessToken);
            
        } failure:^(NSError * _Nonnull error) {
            failure(error);
        }];
        
        // Mutate MXHTTPOperation so that the user can cancel this new operation
        [operation mutateTo:operation2];
        
    } failure:^(NSError *error) {
        failure(error);
    }];
    
    return operation;
}

Classe MXJSONModels :

Déclare l'interface MXOpenIdToken:

/**
 `MXOpenIdToken` represents the response to the `openIdToken` request.
 */
@interface MXOpenIdToken : MXJSONModel

/**
 The token type.
 */
@property (nonatomic) NSString *tokenType;

/**
 The homeserver name.
 */
@property (nonatomic) NSString *matrixServerName;

/**
 The generated access token.
 */
@property (nonatomic) NSString *accessToken;

/**
 The valid period in seconds of this token.
 */
@property (nonatomic) uint64_t expiresIn;

@end

Classe MXRestClient :

/**
 Gets a bearer token from the homeserver that the user can
 present to a third party in order to prove their ownership
 of the Matrix account they are logged into.

 @param success A block object called when the operation succeeds.
 @param failure A block object called when the operation fails.

 @return a MXHTTPOperation instance.
 */
- (MXHTTPOperation*)openIdToken:(void (^)(MXOpenIdToken *tokenObject))success
                        failure:(void (^)(NSError *error))failure;

Path appelé sur le back-end : _matrix/client/unstable/user/<user-id>/openid/request_token

[NicolasBuquet]

L'obtention de l'openID token semble passer par l'intégration d'un service tiers par la classe IntegrationManagerViewController :

- (WidgetManagerConfig*)createWidgetManagerConfigForUser:(NSString*)userId
{
    WidgetManagerConfig *config;

    MXSession *session = [self matrixSessionForUser:userId];

    // Find the integrations settings for the user

    // First, look at matrix account
    // TODO in another user story
    
    // Then, try to the homeserver configuration
    MXWellknownIntegrationsManager *integrationsManager = session.homeserverWellknown.integrations.managers.firstObject;
    if (integrationsManager)
    {
        config = [[WidgetManagerConfig alloc] initWithApiUrl:integrationsManager.apiUrl uiUrl:integrationsManager.uiUrl];
    }
    else
    {
        // Fallback on app settings
        config = [self createWidgetManagerConfigWithAppSettings];
    }

    return config;
}

- (WidgetManagerConfig*)createWidgetManagerConfigWithAppSettings
{
    return [[WidgetManagerConfig alloc] initWithApiUrl:BuildSettings.integrationsRestApiUrlString
                                                 uiUrl:BuildSettings.integrationsUiUrlString];
}

[NicolasBuquet]

L'usage de OpenID dans Matrix est basé sur la MSC1961 : https://github.com/matrix-org/matrix-spec-proposals/blob/old_master/proposals/1961-integrations-auth.md

The Matrix spec proposal pull request : matrix-org/matrix-spec-proposals#1961

matrix-org/matrix-spec-proposals#2140 defines a new v2 API for Identity Servers and uses OpenID authentication as defined in matrix-org/matrix-spec-proposals#1961.