* Refactor how token refreshing works to be more resilient
1. ensure we do use the new token if it is not explicitly inhibited by the caller
2. eagerly refresh token if we know it is expired
3. allow refreshing a token multiple times if e.g. on bad connection or the environment has been slept and sufficient time has passed since the last refresh attempt
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Iterate
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Iterate
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Add exponential backoff
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Ensure no timing effects on `authedRequest` method call
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Iterate
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---------
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Abstract logout-causing error type from tokenRefreshFunction calls
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Add test
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---------
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* OIDC: only pass logo_uri, policy_uri, tos_uri if they conform to "common base"
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Tests
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---------
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
...and renames them, removing the special lowercase and uppercase
versions and exporting the underlying function instead.
Any apps that use these will either need to take the speed hit from
secure random functions and use the new ones, or write their own
insecure versions.
The lowercase and uppercasde verisons were used exactly once each
in element-web and never in js-sdk itself. The underlying function
is very simple and exporting just this gives more flexibility with
fewer exports.
* Handle when `aud` OIDC claim is an Array
The `aud` claim of OIDC id_tokens [can be an array](ce6d694639/src/Claims.ts (L92)) but the existing logic
incorrectly assumes `aud` is always a string.
This PR adds the necessary check.
* Clarify `aud` OIDC claim check
* Fix for prettier
---------
Co-authored-by: David Baker <dbkr@users.noreply.github.com>
* Update OIDC registration types to match latest MSC2966 state
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Add comment
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---------
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Fix hashed ID server lookups with no Olm
It used the hash function from Olm (presumably to work cross-platform)
but subtle crypto is available on node nowadays so we can just use
that.
Refactor existing code that did this out to a common function, add
tests.
* Test the code when crypto is available
* Test case of no crypto available
* Move digest file to src to get it out of the way of the olm / e2e stuff
* Fix import
* Fix error string & doc
* subtle crypto, not webcrypto
* Extract the base64 part
* Fix test
* Move test file too
* Add more doc
* Fix imports
* Inline subtlecrypto shim
The presence of this thing just makes code more confusing.
* Remove pre-node-20 webcrypto hack
Until node 20.0, the webcrypto API lived at `crypto.webCrypto`. It's now
available at the same place as in web -- `globalThis.crypto`.
See: https://nodejs.org/docs/latest-v20.x/api/webcrypto.html#web-crypto-api
* oidc auth test: Clean up mocking
THe previous reset code wasn't really resetting the right thing. Let's just
re-init `window.crypto` on each test.
* Remove `crypto` shim
This isn't very useful any more.
I believe the only reason we had this was that, before Node v11.0,
`TextEncoder` wasn't available in the global object. Nowadays it is (see
https://nodejs.org/api/util.html#class-utiltextencoder), so let's get rid of
it.
* Add `device_authorization_endpoint` field to OIDC issuer well-known metadata
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Allow `validateIdToken` to skip handling nonce when none is present
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Tweak registerOidcClient to check OIDC grant_types_supported before registration
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---------
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Update dependency oidc-client-ts to v3
* Update jwt-decode so that oidc-client-ts doesn't run its own and thus we can mock
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Merge
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* delint
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Sort package.json
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Ensure oidc-client-ts 3.0.1 to drop crypto-js
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---------
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Michael Telatynski <7t3chguy@gmail.com>
* Allow specifying more OIDC client metadata for dynamic registration
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Allow specifying url_state for dynamic oidc client registration
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Export NonEmptyArray type
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Allow specifying more OIDC client metadata for dynamic registration
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Export NonEmptyArray type
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* Fix test
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
---------
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
* add tokenRefresher class
* export generateScope
* export oidc from matrix
* mark experimental
* Apply suggestions from code review
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
* remove some vars in test
* make TokenRefresher un-abstract, comments and improvements
* remove invalid jsdoc
* Update src/oidc/tokenRefresher.ts
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
* Code review improvements
* document TokenRefreshFunction
---------
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
* use oidc-client-ts during oidc discovery
* export new type for auth config
* deprecate generateAuthorizationUrl in favour of generateOidcAuthorizationUrl
* testing util for oidc configurations
* test generateOidcAuthorizationUrl
* lint
* test discovery
* dont pass whole client wellknown to oidc validation funcs
* add nonce
* use oidc-client-ts for oidc response
* validate user state and update tests
* use oidc-client-ts for code exchange
* use oidc-client-ts in completing auth grant
* use client userState for homeserver
* more comments
* use oidc-client-ts during oidc discovery
* export new type for auth config
* deprecate generateAuthorizationUrl in favour of generateOidcAuthorizationUrl
* testing util for oidc configurations
* test generateOidcAuthorizationUrl
* lint
* test discovery
* dont pass whole client wellknown to oidc validation funcs
* add nonce
* use client userState for homeserver
* utils for authorization step in OIDC code grant
* tidy
* completeAuthorizationCodeGrant util functions
* response_mode=query
* add scope to bearertoken type
* add is_guest to whoami response type
* doc comments
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
* use shimmed TextEncoder
* fetchMockJest -> fetchMock
* comment
* bearertokenresponse
* test for lowercase bearer
* handle lowercase token_type
---------
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
* validate m.authentication, fetch issuer wellknown
* move validation functions into separate file
* test validateWellKnownAuthentication
* test validateOIDCIssuerWellKnown
* add authentication cases to autodiscovery tests
* test invalid authentication config on wk
* improve types
* test case for account:false
* use hasOwnProperty in validateWellKnownAuthentication
* comments
* make registration_endpoint optional
