OIDC: navigate to authorization endpoint #3499
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kerryarchibald
changed the title
3 tasks
kerryarchibald
commented
Jun 23, 2023
| @@ -863,6 +863,7 @@ export interface TimestampToEventResponse { | |||
| interface IWhoamiResponse { | |||
| user_id: string; | |||
| device_id?: string; | |||
| is_guest?: boolean; | |||
There was a problem hiding this comment.
3 tasks
richvdh
requested changes
Jun 23, 2023
src/oidc/authorize.ts
Outdated
Comment on lines
98
to
105
| export type BearerToken = { | ||
| token_type: "Bearer"; | ||
| access_token: string; | ||
| scope: string; | ||
| refresh_token?: string; | ||
| expires_in?: number; | ||
| id_token?: string; | ||
| }; |
There was a problem hiding this comment.
I don't think this whole thing is a bearer token, in OpenID terminology. As I understand it, the "bearer token" per se is just access_token, and obviously this contains a whole bunch of other stuff.
Maybe we can call this BearerTokenResponse, or something?
Suggested change
| export type BearerToken = { | |
| token_type: "Bearer"; | |
| access_token: string; | |
| scope: string; | |
| refresh_token?: string; | |
| expires_in?: number; | |
| id_token?: string; | |
| }; | |
| /** | |
| * The expected response type from the authorization URL for a bearer token. | |
| * | |
| * See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4, | |
| * https://openid.net/specs/openid-connect-basic-1_0.html#TokenOK. | |
| */ | |
| export type BearerTokenResponse = { | |
| token_type: "Bearer"; | |
| access_token: string; | |
| scope: string; | |
| refresh_token?: string; | |
| expires_in?: number; | |
| id_token?: string; | |
| }; |
There was a problem hiding this comment.
isValidBearerToken needs a similar rename
src/oidc/authorize.ts
Outdated
| }; | ||
| const isValidBearerToken = (token: any): token is BearerToken => | ||
| typeof token == "object" && | ||
| token["token_type"] === "Bearer" && |
There was a problem hiding this comment.
https://openid.net/specs/openid-connect-basic-1_0.html#TokenOK says "Note that the token_type value is case insensitive."
... which might also be a problem for the type definition?
There was a problem hiding this comment.
Good catch, added some handling for this
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
…hub.com/matrix-org/matrix-js-sdk into kerry/25574/oidc-authorization-endpoint
richvdh
approved these changes
Jun 26, 2023
There was a problem hiding this comment.
LGTM.
At some point, not necessarily as part of this PR: it would be good to find out why these things aren't appearing in the documentation for the js-sdk (cf https://pr3499--js-sdk-docs-previews.netlify.app/stable/). It probably means they aren't exported correctly via src/matrix.ts.
This was referenced Jul 7, 2023
Merged
su-ex
added a commit
to SchildiChat/matrix-js-sdk
that referenced
this pull request
Feb 22, 2024
* The Browserify artifact is being deprecated, scheduled for removal in the October 10th release cycle. ([\matrix-org#3189](matrix-org#3189)). * ElementR: Add `CryptoApi#bootstrapSecretStorage` ([\matrix-org#3483](matrix-org#3483)). Contributed by @florianduros. * Deprecate `MatrixClient.findVerificationRequestDMInProgress`, `MatrixClient.getVerificationRequestsToDeviceInProgress`, and `MatrixClient.requestVerification`, in favour of methods in `CryptoApi`. ([\matrix-org#3474](matrix-org#3474)). * Introduce a new `Crypto.VerificationRequest` interface, and deprecate direct access to the old `VerificationRequest` class. Also deprecate some related classes that were exported from `src/crypto/verification/request/VerificationRequest` ([\matrix-org#3449](matrix-org#3449)). * OIDC: navigate to authorization endpoint ([\matrix-org#3499](matrix-org#3499)). Contributed by @kerryarchibald. * Support for interactive device verification in Element-R. ([\matrix-org#3505](matrix-org#3505)). * Support for interactive device verification in Element-R. ([\matrix-org#3508](matrix-org#3508)). * Support for interactive device verification in Element-R. ([\matrix-org#3490](matrix-org#3490)). Fixes element-hq/element-web#25316. * Element-R: Store cross signing keys in secret storage ([\matrix-org#3498](matrix-org#3498)). Contributed by @florianduros. * OIDC: add dynamic client registration util function ([\matrix-org#3481](matrix-org#3481)). Contributed by @kerryarchibald. * Add getLastUnthreadedReceiptFor utility to Thread delegating to the underlying Room ([\matrix-org#3493](matrix-org#3493)). * ElementR: Add `rust-crypto#createRecoveryKeyFromPassphrase` implementation ([\matrix-org#3472](matrix-org#3472)). Contributed by @florianduros. * Aggregate relations regardless of whether event fits into the timeline ([\matrix-org#3496](matrix-org#3496)). Fixes element-hq/element-web#25596. * Fix bug where switching media caused media in subsequent calls to fail ([\matrix-org#3489](matrix-org#3489)). * Fix: remove polls from room state on redaction ([\matrix-org#3475](matrix-org#3475)). Fixes element-hq/element-web#25573. Contributed by @kerryarchibald. * Fix export type `GeneratedSecretStorageKey` ([\matrix-org#3479](matrix-org#3479)). Contributed by @florianduros. * Close IDB database before deleting it to prevent spurious unexpected close errors ([\matrix-org#3478](matrix-org#3478)). Fixes element-hq/element-web#25597.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For element-hq/element-web#25574
Used matrix-org/matrix-react-sdk#11096
3.1.1. Authorization Code Flow Steps
1. Client prepares an Authentication Request containing the desired request parameters.
2. Client sends the request to the Authorization Server.
3. Authorization Server Authenticates the End-User.
4. Authorization Server obtains End-User Consent/Authorization.
5. Authorization Server sends the End-User back to the Client with an Authorization Code.
6. Client requests a response using the Authorization Code at the Token Endpoint.
7. Client receives a response that contains an ID Token and Access Token in the response body.
8. Client validates the ID token and retrieves the End-User's Subject Identifier.
This task addresses steps 1-5.
Splitting this flow into two parts to keep change set a reasonable size.
Checklist
Here's what your changelog entry will look like:
✨ Features