Switch OIDC primarily to new /auth_metadata API (#4626)

2025-12-16 09:42:23 +03:00 · 2025-01-22 13:48:27 +00:00
parent 61375ef38a
commit c0e30ceca0
16 changed files with 267 additions and 193 deletions
--- a/src/client.ts
+++ b/src/client.ts
@@ -247,6 +247,7 @@ import { ImageInfo } from "./@types/media.ts";
 import { Capabilities, ServerCapabilities } from "./serverCapabilities.ts";
 import { sha256 } from "./digest.ts";
 import { keyFromAuthData } from "./common-crypto/key-passphrase.ts";
+import { discoverAndValidateOIDCIssuerWellKnown, OidcClientConfig, validateAuthMetadataAndKeys } from "./oidc/index.ts";

 export type Store = IStore;

@@ -10352,6 +10353,7 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
     * @returns Resolves: A promise of an object containing the OIDC issuer if configured
     * @returns Rejects: when the request fails (module:http-api.MatrixError)
     * @experimental - part of MSC2965
+     * @deprecated in favour of getAuthMetadata
     */
    public async getAuthIssuer(): Promise<{
        issuer: string;
@@ -10360,6 +10362,34 @@ export class MatrixClient extends TypedEventEmitter<EmittedEvents, ClientEventHa
            prefix: ClientPrefix.Unstable + "/org.matrix.msc2965",
        });
    }
+
+    /**
+     * Discover and validate delegated auth configuration
+     * - delegated auth issuer openid-configuration is reachable
+     * - delegated auth issuer openid-configuration is configured correctly for us
+     * Fetches /auth_metadata falling back to legacy implementation using /auth_issuer followed by
+     * https://oidc-issuer.example.com/.well-known/openid-configuration and other files linked therein.
+     * When successful, validated metadata is returned
+     * @returns validated authentication metadata and optionally signing keys
+     * @throws when delegated auth config is invalid or unreachable
+     * @experimental - part of MSC2965
+     */
+    public async getAuthMetadata(): Promise<OidcClientConfig> {
+        let authMetadata: unknown | undefined;
+        try {
+            authMetadata = await this.http.request<unknown>(Method.Get, "/auth_metadata", undefined, undefined, {
+                prefix: ClientPrefix.Unstable + "/org.matrix.msc2965",
+            });
+        } catch (e) {
+            if (e instanceof MatrixError && e.errcode === "M_UNRECOGNIZED") {
+                const { issuer } = await this.getAuthIssuer();
+                return discoverAndValidateOIDCIssuerWellKnown(issuer);
+            }
+            throw e;
+        }
+
+        return validateAuthMetadataAndKeys(authMetadata);
+    }
 }

 function getUnstableDelayQueryOpts(delayOpts: SendDelayedEventRequestOpts): QueryDict {