studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(oidc): Element X compatibility — drop openid scope requirement, use registered client name
Some checks failed
Main / Init (push) Has been cancelled
Details
Main / Lint (push) Has been cancelled
Details
Main / Test (push) Has been cancelled
Details
Main / Package (push) Has been cancelled
Details
Main / Publish (push) Has been cancelled
Details

Browse Source 
Element X doesn't request the openid scope (which is not mandatory per
OIDC spec). The id_token is still only generated when openid IS in scope.

Also use the DCR-registered client name as the device display name
instead of the hardcoded "OIDC Client" fallback.

Ref: https://github.com/matrix-construct/tuwunel/pull/342#issuecomment-2737905329
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-20 14:50:23 +00:00
parent 489ff6f2a2
commit 890b7c6c57
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/api/client/oidc.rs
View File

@@ -76,8 +76,6 @@ pub(crate) async fn authorize_route(State(services): State<crate::State>, reques
oidc.validate_redirect_uri(&params.client_id, &params.redirect_uri).await?; oidc.validate_redirect_uri(&params.client_id, &params.redirect_uri).await?;
if !scope_contains_token(&params.scope, "openid") { return Err!(Request(InvalidParam("openid scope is required"))); }
let req_id = utils::random_string(OIDC_REQ_ID_LENGTH); let req_id = utils::random_string(OIDC_REQ_ID_LENGTH);
let now = SystemTime::now(); let now = SystemTime::now();
@@ -148,7 +146,9 @@ async fn token_authorization_code(services: &tuwunel_service::Services, body: &T
let refresh_token = generate_refresh_token(); let refresh_token = generate_refresh_token();
let device_id: Option<OwnedDeviceId> = extract_device_id(&session.scope).map(OwnedDeviceId::from); let device_id: Option<OwnedDeviceId> = extract_device_id(&session.scope).map(OwnedDeviceId::from);
let device_id = services.users.create_device(user_id, device_id.as_deref(), (Some(&access_token), expires_in), Some(&refresh_token), Some("OIDC Client"), None).await?; let client_name = oidc.get_client(client_id).await.ok().and_then(|c| c.client_name);
let device_display_name = client_name.as_deref().unwrap_or("OIDC Client");
let device_id = services.users.create_device(user_id, device_id.as_deref(), (Some(&access_token), expires_in), Some(&refresh_token), Some(device_display_name), None).await?;
info!("{user_id} logged in via OIDC (device {device_id})"); info!("{user_id} logged in via OIDC (device {device_id})");