experimental: Expose an OpenID Connect API

Co-authored-by: Doug <[email protected]>
Signed-off-by: Kévin Commaille <[email protected]>

Author: zecakeh

Cargo.lock

@@ -42,6 +42,14 @@ appservice = ["ruma/appservice-api-s"]
 image-proc = ["dep:image"]
 image-rayon = ["image-proc", "image?/jpeg_rayon"]
 
+experimental-oidc = [
+    "ruma/unstable-msc2967",
+    "dep:chrono",
+    "dep:language-tags",
+    "dep:mas-oidc-client",
+    "dep:rand",
+    "dep:tower",
+]
 experimental-sliding-sync = [
     "matrix-sdk-base/experimental-sliding-sync",
     "reqwest/gzip",
@@ -58,6 +66,7 @@ async-trait = { workspace = true }
 bytes = "1.1.0"
 bytesize = "1.1"
 cfg-vis = "0.3.0"
+chrono = { version = "0.4.23", optional = true }
 dashmap = { workspace = true }
 event-listener = "2.5.2"
 eyeball = { workspace = true }
@@ -67,8 +76,9 @@ eyre = { version = "0.6.8", optional = true }
 futures-core = { workspace = true }
 futures-util = { workspace = true }
 http = { workspace = true }
-imbl = { version = "2.0.0", features = ["serde"] }
 hyper = { version = "0.14.20", features = ["http1", "http2", "server"], optional = true }
+imbl = { version = "2.0.0", features = ["serde"] }
+language-tags = { version = "0.3.2", optional = true }
 matrix-sdk-base = { version = "0.6.0", path = "../matrix-sdk-base", default_features = false }
 matrix-sdk-common = { version = "0.6.0", path = "../matrix-sdk-common" }
 matrix-sdk-indexeddb = { version = "0.2.0", path = "../matrix-sdk-indexeddb", default-features = false, optional = true }
@@ -107,6 +117,11 @@ features = [
 ]
 optional = true
 
+[dependencies.mas-oidc-client]
+git = "https://github.com/matrix-org/matrix-authentication-service"
+rev = "4280045b24bc71ef1fa100c0a046ed15e6e20748"
+optional = true
+
 [target.'cfg(target_arch = "wasm32")'.dependencies]
 gloo-timers = { version = "0.2.6", features = ["futures"] }
 reqwest = { version = "0.11.10", default_features = false }

crates/matrix-sdk/Cargo.toml

@@ -15,13 +15,19 @@
 use matrix_sdk_base::SessionMeta;
 
 use crate::matrix_auth::{self, MatrixAuth, MatrixAuthData};
+#[cfg(feature = "experimental-oidc")]
+use crate::oidc::{self, Oidc, OidcAuthData};
 
 /// An enum over all the possible authentication APIs.
 #[derive(Debug, Clone)]
 #[non_exhaustive]
 pub enum AuthApi {
     /// The native Matrix authentication API.
     Matrix(MatrixAuth),
+
+    /// The OpenID Connect API.
+    #[cfg(feature = "experimental-oidc")]
+    Oidc(Oidc),
 }
 
 /// A user session using one of the available authentication APIs.
@@ -30,20 +36,28 @@ pub enum AuthApi {
 pub enum AuthSession {
     /// A session using the native Matrix authentication API.
     Matrix(matrix_auth::Session),
+
+    /// A session using the OpenID Connect API.
+    #[cfg(feature = "experimental-oidc")]
+    Oidc(oidc::FullSession),
 }
 
 impl AuthSession {
     /// Get the matrix user information of this session.
     pub fn meta(&self) -> &SessionMeta {
         match self {
             AuthSession::Matrix(session) => &session.meta,
+            #[cfg(feature = "experimental-oidc")]
+            AuthSession::Oidc(session) => &session.user.meta,
         }
     }
 
     /// Get the access token of this session.
     pub fn access_token(&self) -> &str {
         match self {
             AuthSession::Matrix(session) => &session.tokens.access_token,
+            #[cfg(feature = "experimental-oidc")]
+            AuthSession::Oidc(session) => &session.user.tokens.access_token,
         }
     }
 }
@@ -54,23 +68,47 @@ impl From<matrix_auth::Session> for AuthSession {
     }
 }
 
+#[cfg(feature = "experimental-oidc")]
+impl From<oidc::FullSession> for AuthSession {
+    fn from(session: oidc::FullSession) -> Self {
+        Self::Oidc(session)
+    }
+}
+
 /// Data for an authentication API.
-#[derive(Clone, Debug)]
+#[derive(Debug)]
 pub(crate) enum AuthData {
     /// Data for the native Matrix authentication API.
     Matrix(MatrixAuthData),
+    /// Data for the OpenID Connect API.
+    #[cfg(feature = "experimental-oidc")]
+    Oidc(OidcAuthData),
 }
 
 impl AuthData {
     pub(crate) fn as_matrix(&self) -> Option<&MatrixAuthData> {
         match self {
             AuthData::Matrix(d) => Some(d),
+            #[cfg(feature = "experimental-oidc")]
+            _ => None,
         }
     }
 
-    pub(crate) fn access_token(&self) -> String {
+    #[cfg(feature = "experimental-oidc")]
+    pub(crate) fn as_oidc(&self) -> Option<&OidcAuthData> {
         match self {
-            AuthData::Matrix(d) => d.tokens.get().access_token,
+            AuthData::Oidc(d) => Some(d),
+            _ => None,
         }
     }
+
+    pub(crate) fn access_token(&self) -> Option<String> {
+        let token = match self {
+            AuthData::Matrix(d) => d.tokens.get().access_token,
+            #[cfg(feature = "experimental-oidc")]
+            AuthData::Oidc(d) => d.tokens.get()?.get().access_token,
+        };
+
+        Some(token)
+    }
 }

crates/matrix-sdk/src/authentication.rs

@@ -74,6 +74,8 @@ use url::Url;
 
 #[cfg(feature = "e2e-encryption")]
 use crate::encryption::Encryption;
+#[cfg(feature = "experimental-oidc")]
+use crate::oidc::Oidc;
 use crate::{
     authentication::AuthData,
     config::RequestConfig,
@@ -141,12 +143,12 @@ pub(crate) struct ClientInner {
     /// The URL of the homeserver to connect to.
     homeserver: RwLock<Url>,
     /// The authentication server info discovered from the homeserver.
-    authentication_server_info: Option<AuthenticationServerInfo>,
+    pub(crate) authentication_server_info: Option<AuthenticationServerInfo>,
     /// The sliding sync proxy that is trusted by the homeserver.
     #[cfg(feature = "experimental-sliding-sync")]
     sliding_sync_proxy: StdRwLock<Option<Url>>,
     /// The underlying HTTP client.
-    http_client: HttpClient,
+    pub(crate) http_client: HttpClient,
     /// User session data.
     base_client: BaseClient,
     /// The Matrix versions the server supports (well-known ones only)
@@ -477,7 +479,7 @@ impl Client {
     ///
     /// Will be `None` if the client has not been logged in.
     pub fn access_token(&self) -> Option<String> {
-        Some(self.inner.auth_data.get()?.access_token())
+        self.inner.auth_data.get()?.access_token()
     }
 
     /// Access the authentication API used to log in this client.
@@ -486,6 +488,8 @@ impl Client {
     pub fn auth_api(&self) -> Option<AuthApi> {
         match self.inner.auth_data.get()? {
             AuthData::Matrix(_) => Some(AuthApi::Matrix(self.matrix_auth())),
+            #[cfg(feature = "experimental-oidc")]
+            AuthData::Oidc(_) => Some(AuthApi::Oidc(self.oidc())),
         }
     }
 
@@ -498,6 +502,8 @@ impl Client {
     pub fn session(&self) -> Option<AuthSession> {
         match self.auth_api()? {
             AuthApi::Matrix(api) => api.session().map(Into::into),
+            #[cfg(feature = "experimental-oidc")]
+            AuthApi::Oidc(api) => api.full_session().map(Into::into),
         }
     }
 
@@ -527,6 +533,12 @@ impl Client {
         Media::new(self.clone())
     }
 
+    /// Access the OpenID Connect API of the client.
+    #[cfg(feature = "experimental-oidc")]
+    pub fn oidc(&self) -> Oidc {
+        Oidc::new(self.clone())
+    }
+
     /// Register a handler for a specific event type.
     ///
     /// The handler is a function or closure with one or more arguments. The
@@ -942,6 +954,8 @@ impl Client {
         let session = session.into();
         match session {
             AuthSession::Matrix(s) => self.matrix_auth().restore_session(s).await,
+            #[cfg(feature = "experimental-oidc")]
+            AuthSession::Oidc(s) => self.oidc().restore_session(s).await,
         }
     }
 
@@ -959,6 +973,10 @@ impl Client {
             AuthApi::Matrix(a) => {
                 a.refresh_access_token().await?;
             }
+            #[cfg(feature = "experimental-oidc")]
+            AuthApi::Oidc(api) => {
+                api.refresh_access_token().await?;
+            }
         }
 
         Ok(())

crates/matrix-sdk/src/client/mod.rs

@@ -257,6 +257,11 @@ pub enum Error {
     #[error("The internal client state is inconsistent.")]
     InconsistentState,
 
+    /// An error occurred interacting with the OpenID Connect API.
+    #[cfg(feature = "experimental-oidc")]
+    #[error(transparent)]
+    Oidc(#[from] crate::oidc::OidcError),
+
     /// An other error was raised
     /// this might happen because encryption was enabled on the base-crate
     /// but not here and that raised.
@@ -423,6 +428,11 @@ pub enum RefreshTokenError {
     /// An error occurred interacting with the native Matrix authentication API.
     #[error(transparent)]
     MatrixAuth(Arc<HttpError>),
+
+    /// An error occurred interacting with the OpenID Connect API.
+    #[cfg(feature = "experimental-oidc")]
+    #[error(transparent)]
+    Oidc(#[from] Arc<crate::oidc::OidcError>),
 }
 
 /// Errors that can occur when manipulating push notification settings.

crates/matrix-sdk/src/error.rs

@@ -239,3 +239,28 @@ async fn response_to_http_response(
 
     Ok(http_builder.body(body).expect("Can't construct a response using the given body"))
 }
+
+#[cfg(feature = "experimental-oidc")]
+impl tower::Service<http::Request<Bytes>> for HttpClient {
+    type Response = http::Response<Bytes>;
+    type Error = tower::BoxError;
+    type Future = futures_core::future::BoxFuture<'static, Result<Self::Response, Self::Error>>;
+
+    fn poll_ready(
+        &mut self,
+        _cx: &mut std::task::Context<'_>,
+    ) -> std::task::Poll<Result<(), Self::Error>> {
+        std::task::Poll::Ready(Ok(()))
+    }
+
+    fn call(&mut self, req: http::Request<Bytes>) -> Self::Future {
+        let inner = self.inner.clone();
+
+        let fut = async move {
+            native::send_request(&inner, &req, DEFAULT_REQUEST_TIMEOUT, Default::default())
+                .await
+                .map_err(Into::into)
+        };
+        Box::pin(fut)
+    }
+}

crates/matrix-sdk/src/http_client/mod.rs

@@ -40,6 +40,8 @@ mod http_client;
 pub mod matrix_auth;
 pub mod media;
 pub mod notification_settings;
+#[cfg(feature = "experimental-oidc")]
+pub mod oidc;
 pub mod room;
 pub mod sync;
 

crates/matrix-sdk/src/lib.rs

@@ -561,7 +561,7 @@ impl MatrixAuth {
     }
 
     /// Set the current session tokens
-    fn set_session_tokens(&self, tokens: SessionTokens) {
+    pub(crate) fn set_session_tokens(&self, tokens: SessionTokens) {
         if let Some(auth_data) = self.client.inner.auth_data.get() {
             let Some(data) = auth_data.as_matrix() else {
                 panic!("Cannot call native Matrix authentication API after logging in with another API");