studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: implement OIDC server for next-gen auth (MSC2965/2964/2966/2967)

Browse Source 
Implements a built-in OIDC authorization server that allows Matrix clients
like Element X to authenticate via OIDC, delegating user authentication
to upstream identity providers (e.g. Kanidm) through the existing SSO flow.

## Endpoints
- GET /_matrix/client/unstable/org.matrix.msc2965/auth_issuer
- GET /.well-known/openid-configuration
- POST /_tuwunel/oidc/registration (Dynamic Client Registration)
- GET /_tuwunel/oidc/authorize → SSO redirect → _complete bridge
- POST /_tuwunel/oidc/token (auth code exchange + refresh)
- POST /_tuwunel/oidc/revoke
- GET /_tuwunel/oidc/jwks
- GET /_tuwunel/oidc/userinfo
- GET /_tuwunel/oidc/account (placeholder)

## Spec compliance fixes
- OAuth error responses use RFC 6749 §5.2 format ({"error": "...", "error_description": "..."})
- PKCE code_verifier validation per RFC 7636 §4.1
- Scope token matching uses exact whitespace-delimited comparison per RFC 6749 §3.3
- Typed ProviderMetadata struct for the discovery document
- DCR includes policy_uri, tos_uri, software_id, software_version per RFC 7591

Refs: #246, #266
This commit is contained in:
dasha_uwu
2026-02-22 12:58:01 +05:00
committed by Sienna Meridian Satterwhite
parent 6a3588ed0b
commit ce8abf6bf1
8 changed files with 481 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/api/client/versions.rs
View File

@@ -51,7 +51,7 @@ static VERSIONS: [&str; 17] = [
"v1.15", /* custom profile fields */
];
static UNSTABLE_FEATURES: [&str; 18] = [
static UNSTABLE_FEATURES: [&str; 22] = [
"org.matrix.e2e_cross_signing",
// private read receipts (https://github.com/matrix-org/matrix-spec-proposals/pull/2285)
"org.matrix.msc2285.stable",
@@ -86,4 +86,12 @@ static UNSTABLE_FEATURES: [&str; 18] = [
"org.matrix.simplified_msc3575",
// Allow room moderators to view redacted event content (https://github.com/matrix-org/matrix-spec-proposals/pull/2815)
"fi.mau.msc2815",
// OIDC-native auth: authorization code grant (https://github.com/matrix-org/matrix-spec-proposals/pull/2964)
"org.matrix.msc2964",
// OIDC-native auth: auth issuer discovery (https://github.com/matrix-org/matrix-spec-proposals/pull/2965)
"org.matrix.msc2965",
// OIDC-native auth: dynamic client registration (https://github.com/matrix-org/matrix-spec-proposals/pull/2966)
"org.matrix.msc2966",
// OIDC-native auth: API scopes (https://github.com/matrix-org/matrix-spec-proposals/pull/2967)
"org.matrix.msc2967",
];