src/livekit/openIDSFU.ts

/*
Copyright 2023, 2024 New Vector Ltd.

SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial
Please see LICENSE in the repository root for full details.
*/

import { type IOpenIDToken, type MatrixClient } from "matrix-js-sdk";
import { logger } from "matrix-js-sdk/lib/logger";
import { type CallMembershipIdentityParts } from "matrix-js-sdk/lib/matrixrtc/EncryptionManager";

import { FailToGetOpenIdToken } from "../utils/errors";
import { doNetworkOperationWithRetry } from "../utils/matrix";
import { Config } from "../config/Config";

export interface SFUConfig {
  url: string;
  jwt: string;
}

// The bits we need from MatrixClient
export type OpenIDClientParts = Pick<
  MatrixClient,
  "getOpenIdToken" | "getDeviceId"
>;
/**
 * Gets a bearer token from the homeserver and then use it to authenticate
 * to the matrix RTC backend in order to get acces to the SFU.
 * It has built-in retry for calls to the homeserver with a backoff policy.
 * @param client
 * @param serviceUrl
 * @param matrixRoomId
 * @returns Object containing the token information
 * @throws FailToGetOpenIdToken
 */
export async function getSFUConfigWithOpenID(
  client: OpenIDClientParts,
  membership: CallMembershipIdentityParts,
  serviceUrl: string,
  livekitRoomAlias: string,
  matrix2jwt: boolean,
  delayEndpointBaseUrl?: string,
  delayId?: string,
): Promise<SFUConfig> {
  let openIdToken: IOpenIDToken;
  try {
    openIdToken = await doNetworkOperationWithRetry(async () =>
      client.getOpenIdToken(),
    );
  } catch (error) {
    throw new FailToGetOpenIdToken(
      error instanceof Error ? error : new Error("Unknown error"),
    );
  }
  logger.debug("Got openID token", openIdToken);

  logger.info(`Trying to get JWT for focus ${serviceUrl}...`);
  const args: [CallMembershipIdentityParts, string, string, IOpenIDToken] = [
    membership,
    serviceUrl,
    livekitRoomAlias,
    openIdToken,
  ];
  if (matrix2jwt) {
    const sfuConfig = await getLiveKitJWTWithDelayDelegation(
      ...args,
      delayEndpointBaseUrl,
      delayId,
    );
    logger.info(`Got JWT from call's active focus URL.`);
    return sfuConfig;
  } else {
    const sfuConfig = await getLiveKitJWT(...args);
    logger.info(`Got JWT from call's active focus URL.`);
    return sfuConfig;
  }
}

async function getLiveKitJWT(
  membership: CallMembershipIdentityParts,
  livekitServiceURL: string,
  livekitRoomAlias: string,
  openIDToken: IOpenIDToken,
): Promise<SFUConfig> {
  try {
    const res = await fetch(livekitServiceURL + "/sfu/get", {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        room: livekitRoomAlias,
        openid_token: openIDToken,
        device_id: membership.deviceId,
      }),
    });
    if (!res.ok) {
      throw new Error("SFU Config fetch failed with status code " + res.status);
    }
    return await res.json();
  } catch (e) {
    throw new Error("SFU Config fetch failed with exception " + e);
  }
}

export async function getLiveKitJWTWithDelayDelegation(
  membership: CallMembershipIdentityParts,
  livekitServiceURL: string,
  livekitRoomAlias: string,
  openIDToken: IOpenIDToken,
  delayEndpointBaseUrl?: string,
  delayId?: string,
): Promise<SFUConfig> {
  const { userId, deviceId, memberId } = membership;

  const body = {
    room_id: livekitRoomAlias,
    slot_id: "m.call#ROOM",
    openid_token: openIDToken,
    member: {
      id: memberId,
      claimed_user_id: userId,
      claimed_device_id: deviceId,
    },
  };

  let bodyDalayParts = {};
  // Also check for empty string
  if (delayId && delayEndpointBaseUrl) {
    const delayTimeoutMs =
      Config.get().matrix_rtc_session?.delayed_leave_event_delay_ms ?? 1000;
    bodyDalayParts = {
      delay_id: delayId,
      delay_timeout: delayTimeoutMs,
      delay_cs_api_url: delayEndpointBaseUrl,
    };
  }

  try {
    const res = await fetch(livekitServiceURL + "/get_token", {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({ ...body, ...bodyDalayParts }),
    });
    if (!res.ok) {
      throw new Error("SFU Config fetch failed with status code " + res.status);
    }
    return await res.json();
  } catch (e) {
    throw new Error("SFU Config fetch failed with exception " + e);
  }
}
Revert "Revert "Support for getting SFU config using OIDC"" 2023-07-05 13:12:37 +01:00			`/*`
Update file headers copyright and change licence to AGPL-3.0-only 2024-09-06 10:22:13 +02:00			`Copyright 2023, 2024 New Vector Ltd.`
Revert "Revert "Support for getting SFU config using OIDC"" 2023-07-05 13:12:37 +01:00
Fix copyright header to say dual license not just AGPL (#3013) This probably should have been part of https://github.com/element-hq/element-call/pull/2984 2025-02-18 17:59:58 +00:00			`SPDX-License-Identifier: AGPL-3.0-only OR LicenseRef-Element-Commercial`
Update file headers copyright and change licence to AGPL-3.0-only 2024-09-06 10:22:13 +02:00			`Please see LICENSE in the repository root for full details.`
Revert "Revert "Support for getting SFU config using OIDC"" 2023-07-05 13:12:37 +01:00			`*/`

temp 2025-03-13 13:58:43 +01:00			`import { type IOpenIDToken, type MatrixClient } from "matrix-js-sdk";`
			`import { logger } from "matrix-js-sdk/lib/logger";`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`import { type CallMembershipIdentityParts } from "matrix-js-sdk/lib/matrixrtc/EncryptionManager";`
Revert "Revert "Support for getting SFU config using OIDC"" 2023-07-05 13:12:37 +01:00
Rename error boundary hook It doesn't check whether it's actually used inside a GroupCallErrorBoundary, and it's generally useful for interacting with any error boundary, so I'm giving it a generic name to reflect this. 2025-03-21 15:07:15 -04:00			`import { FailToGetOpenIdToken } from "../utils/errors";`
			`import { doNetworkOperationWithRetry } from "../utils/matrix";`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`import { Config } from "../config/Config";`
Merge v0.4.2 hotfixes 2023-07-12 17:57:54 +01:00
Revert "Revert "Support for getting SFU config using OIDC"" 2023-07-05 13:12:37 +01:00			`export interface SFUConfig {`
			`url: string;`
			`jwt: string;`
			`}`

			`// The bits we need from MatrixClient`
			`export type OpenIDClientParts = Pick<`
			`MatrixClient,`
			`"getOpenIdToken" \| "getDeviceId"`
			`>;`
refactor local transport testing and local memberhsip initialization 2025-11-20 14:42:12 +01:00			`/**`
move HomeserverConnected 2025-11-21 13:04:28 +01:00			`* Gets a bearer token from the homeserver and then use it to authenticate`
			`* to the matrix RTC backend in order to get acces to the SFU.`
			`* It has built-in retry for calls to the homeserver with a backoff policy.`
refactor local transport testing and local memberhsip initialization 2025-11-20 14:42:12 +01:00			`* @param client`
			`* @param serviceUrl`
			`* @param matrixRoomId`
move HomeserverConnected 2025-11-21 13:04:28 +01:00			`* @returns Object containing the token information`
refactor local transport testing and local memberhsip initialization 2025-11-20 14:42:12 +01:00			`* @throws FailToGetOpenIdToken`
			`*/`
Revert "Revert "Support for getting SFU config using OIDC"" 2023-07-05 13:12:37 +01:00			`export async function getSFUConfigWithOpenID(`
			`client: OpenIDClientParts,`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`membership: CallMembershipIdentityParts,`
temp Signed-off-by: Timo K <toger5@hotmail.de> 2025-08-27 14:01:01 +02:00			`serviceUrl: string,`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`livekitRoomAlias: string,`
			`matrix2jwt: boolean,`
			`delayEndpointBaseUrl?: string,`
			`delayId?: string,`
temp Signed-off-by: Timo K <toger5@hotmail.de> 2025-08-27 14:01:01 +02:00			`): Promise<SFUConfig> {`
error management: Handle fail to get JWT token 2025-03-11 09:07:19 +01:00			`let openIdToken: IOpenIDToken;`
			`try {`
			`openIdToken = await doNetworkOperationWithRetry(async () =>`
			`client.getOpenIdToken(),`
			`);`
			`} catch (error) {`
			`throw new FailToGetOpenIdToken(`
			`error instanceof Error ? error : new Error("Unknown error"),`
			`);`
			`}`
Revert "Revert "Support for getting SFU config using OIDC"" 2023-07-05 13:12:37 +01:00			`logger.debug("Got openID token", openIdToken);`

temp Signed-off-by: Timo K <toger5@hotmail.de> 2025-08-27 14:01:01 +02:00			logger.info(`Trying to get JWT for focus ${serviceUrl}...`);
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`const args: [CallMembershipIdentityParts, string, string, IOpenIDToken] = [`
			`membership,`
temp Signed-off-by: Timo K <toger5@hotmail.de> 2025-08-27 14:01:01 +02:00			`serviceUrl,`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`livekitRoomAlias,`
temp Signed-off-by: Timo K <toger5@hotmail.de> 2025-08-27 14:01:01 +02:00			`openIdToken,`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`];`
			`if (matrix2jwt) {`
			`const sfuConfig = await getLiveKitJWTWithDelayDelegation(`
			`...args,`
			`delayEndpointBaseUrl,`
			`delayId,`
			`);`
			logger.info(`Got JWT from call's active focus URL.`);
			`return sfuConfig;`
			`} else {`
			`const sfuConfig = await getLiveKitJWT(...args);`
			logger.info(`Got JWT from call's active focus URL.`);
			`return sfuConfig;`
			`}`
Merge v0.4.2 hotfixes 2023-07-12 17:57:54 +01:00			`}`

			`async function getLiveKitJWT(`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`membership: CallMembershipIdentityParts,`
Merge v0.4.2 hotfixes 2023-07-12 17:57:54 +01:00			`livekitServiceURL: string,`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`livekitRoomAlias: string,`
Format code 2023-10-11 10:42:04 -04:00			`openIDToken: IOpenIDToken,`
Merge v0.4.2 hotfixes 2023-07-12 17:57:54 +01:00			`): Promise<SFUConfig> {`
			`try {`
			`const res = await fetch(livekitServiceURL + "/sfu/get", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`room: livekitRoomAlias,`
Merge v0.4.2 hotfixes 2023-07-12 17:57:54 +01:00			`openid_token: openIDToken,`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00			`device_id: membership.deviceId,`
Merge v0.4.2 hotfixes 2023-07-12 17:57:54 +01:00			`}),`
			`});`
			`if (!res.ok) {`
			`throw new Error("SFU Config fetch failed with status code " + res.status);`
			`}`
			`return await res.json();`
			`} catch (e) {`
			`throw new Error("SFU Config fetch failed with exception " + e);`
Revert "Revert "Support for getting SFU config using OIDC"" 2023-07-05 13:12:37 +01:00			`}`
			`}`
Make use of the new jwt service endpoint (with delayed event delegation) This also does all the compatibility work. When to use which endpoint to authenticate agains a jwt service. 2025-12-17 09:53:49 +01:00
			`export async function getLiveKitJWTWithDelayDelegation(`
			`membership: CallMembershipIdentityParts,`
			`livekitServiceURL: string,`
			`livekitRoomAlias: string,`
			`openIDToken: IOpenIDToken,`
			`delayEndpointBaseUrl?: string,`
			`delayId?: string,`
			`): Promise<SFUConfig> {`
			`const { userId, deviceId, memberId } = membership;`

			`const body = {`
			`room_id: livekitRoomAlias,`
			`slot_id: "m.call#ROOM",`
			`openid_token: openIDToken,`
			`member: {`
			`id: memberId,`
			`claimed_user_id: userId,`
			`claimed_device_id: deviceId,`
			`},`
			`};`

			`let bodyDalayParts = {};`
			`// Also check for empty string`
			`if (delayId && delayEndpointBaseUrl) {`
			`const delayTimeoutMs =`
			`Config.get().matrix_rtc_session?.delayed_leave_event_delay_ms ?? 1000;`
			`bodyDalayParts = {`
			`delay_id: delayId,`
			`delay_timeout: delayTimeoutMs,`
			`delay_cs_api_url: delayEndpointBaseUrl,`
			`};`
			`}`

			`try {`
			`const res = await fetch(livekitServiceURL + "/get_token", {`
			`method: "POST",`
			`headers: {`
			`"Content-Type": "application/json",`
			`},`
			`body: JSON.stringify({ ...body, ...bodyDalayParts }),`
			`});`
			`if (!res.ok) {`
			`throw new Error("SFU Config fetch failed with status code " + res.status);`
			`}`
			`return await res.json();`
			`} catch (e) {`
			`throw new Error("SFU Config fetch failed with exception " + e);`
			`}`
			`}`