Merge pull request #4604 from zecakeh/qr-login-oauth2

refactor(auth-qrcode): Use oauth2 crate instead of openidconnect

Author: poljar

Cargo.lock

@@ -104,7 +104,7 @@ impl From<qrcode::QRCodeLoginError> for HumanQrLoginError {
                 _ => HumanQrLoginError::Unknown,
             },
 
-            QRCodeLoginError::Oidc(e) => {
+            QRCodeLoginError::Oauth(e) => {
                 if let Some(e) = e.as_request_token_error() {
                     match e {
                         DeviceCodeErrorResponseType::AccessDenied => HumanQrLoginError::Declined,
@@ -153,8 +153,8 @@ pub enum QrLoginProgress {
         /// first digit is a zero.
         check_code_string: String,
     },
-    /// We are waiting for the login and for the OIDC provider to give us an
-    /// access token.
+    /// We are waiting for the login and for the OAuth 2.0 authorization server
+    /// to give us an access token.
     WaitingForToken { user_code: String },
     /// The login has successfully finished.
     Done,
@@ -673,8 +673,8 @@ impl ClientBuilder {
     ///
     /// This method will build the client and immediately attempt to log the
     /// client in using the provided [`QrCodeData`] using the login
-    /// mechanism described in [MSC4108]. As such this methods requires OIDC
-    /// support as well as sliding sync support.
+    /// mechanism described in [MSC4108]. As such this methods requires OAuth
+    /// 2.0 support as well as sliding sync support.
     ///
     /// The usage of the progress_listener is required to transfer the
     /// [`CheckCode`] to the existing client.

bindings/matrix-sdk-ffi/src/client_builder.rs

@@ -39,6 +39,9 @@ All notable changes to this project will be documented in this file.
     `ClientCredentials`
   - `Oidc::restore_registered_client()` must NOT be called after
     `Oidc::register_client()` anymore.
+- [**breaking**]: The `authentication::qrcode` module now reexports types from
+  `oauth2` rather than `openidconnect`. Some type names might have changed.
+  ([#4604](https://github.com/matrix-org/matrix-rust-sdk/pull/4604))
 
 ## [0.10.0] - 2025-02-04
 

crates/matrix-sdk/CHANGELOG.md

@@ -53,7 +53,7 @@ experimental-oidc = [
     "dep:rand",
     "dep:sha2",
     "dep:tower",
-    "dep:openidconnect",
+    "dep:oauth2",
 ]
 experimental-widgets = ["dep:language-tags", "dep:uuid"]
 
@@ -129,7 +129,7 @@ tokio = { workspace = true, features = ["macros"] }
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 backoff = { version = "0.4.0", features = ["tokio"] }
-openidconnect = { version = "4.0.0", optional = true }
+oauth2 = { version = "5.0.0", default-features = false, features = ["reqwest"], optional = true }
 # only activate reqwest's stream feature on non-wasm, the wasm part seems to not
 # support *sending* streams, which makes it useless for us.
 reqwest = { workspace = true, features = ["stream", "gzip", "http2"] }

crates/matrix-sdk/Cargo.toml

@@ -22,13 +22,13 @@ use matrix_sdk_base::{
     crypto::types::qr_login::{QrCodeData, QrCodeMode},
     SessionMeta,
 };
-use openidconnect::DeviceCodeErrorResponseType;
+use oauth2::DeviceCodeErrorResponseType;
 use ruma::OwnedDeviceId;
 use tracing::trace;
 use vodozemac::ecies::CheckCode;
 
 use super::{
-    messages::LoginFailureReason, oidc_client::OidcClient, DeviceAuhorizationOidcError,
+    messages::LoginFailureReason, oauth_client::OauthClient, DeviceAuthorizationOauthError,
     SecureChannelError,
 };
 #[cfg(doc)]
@@ -64,11 +64,13 @@ pub enum LoginProgress {
         /// The check code we need to, out of band, send to the other device.
         check_code: CheckCode,
     },
-    /// We're waiting for the OIDC provider to give us the access token. This
-    /// will only happen if the other device allows the OIDC provider to so.
+    /// We're waiting for the OAuth 2.0 authorization server to give us the
+    /// access token. This will only happen if the other device allows the
+    /// OAuth 2.0 authorization server to do so.
     WaitingForToken {
-        /// The user code the OIDC provider has given us, the OIDC provider
-        /// might ask the other device to enter this code.
+        /// The user code the OAuth 2.0 authorization server has given us, the
+        /// OAuth 2.0 authorization server might ask the other device to
+        /// enter this code.
         user_code: String,
     },
     /// The login process has completed.
@@ -113,20 +115,20 @@ impl<'a> IntoFuture for LoginWithQrCode<'a> {
             let check_code = channel.check_code().to_owned();
             self.state.set(LoginProgress::EstablishingSecureChannel { check_code });
 
-            // Register the client with the OIDC provider.
-            trace!("Registering the client with the OIDC provider.");
-            let oidc_client = self.register_client().await?;
+            // Register the client with the OAuth 2.0 authorization server.
+            trace!("Registering the client with the OAuth 2.0 authorization server.");
+            let oauth_client = self.register_client().await?;
 
             // We want to use the Curve25519 public key for the device ID, so let's generate
             // a new vodozemac `Account` now.
             let account = vodozemac::olm::Account::new();
             let public_key = account.identity_keys().curve25519;
             let device_id = public_key;
 
-            // Let's tell the OIDC provider that we want to log in using the device
-            // authorization grant described in [RFC8628](https://datatracker.ietf.org/doc/html/rfc8628).
+            // Let's tell the OAuth 2.0 authorization server that we want to log in using
+            // the device authorization grant described in [RFC8628](https://datatracker.ietf.org/doc/html/rfc8628).
             trace!("Requesting device authorization.");
-            let auth_grant_response = oidc_client.request_device_authorization(device_id).await?;
+            let auth_grant_response = oauth_client.request_device_authorization(device_id).await?;
 
             // Now we need to inform the other device of the login protocols we picked and
             // the URL they should use to log us in.
@@ -153,17 +155,17 @@ impl<'a> IntoFuture for LoginWithQrCode<'a> {
                 }
             }
 
-            // The OIDC provider may or may not show this user code to double check that
-            // we're talking to the right OIDC provider. Let us display this, so
+            // The OAuth 2.0 authorization server may or may not show this user code to
+            // double check that we're talking to the right server. Let us display this, so
             // the other device can double check this as well.
             let user_code = auth_grant_response.user_code();
             self.state
                 .set(LoginProgress::WaitingForToken { user_code: user_code.secret().to_owned() });
 
-            // Let's now wait for the access token to be provided to use by the OIDC
-            // provider.
-            trace!("Waiting for the OIDC provider to give us the access token.");
-            let session_tokens = match oidc_client.wait_for_tokens(&auth_grant_response).await {
+            // Let's now wait for the access token to be provided to use by the OAuth 2.0
+            // authorization server.
+            trace!("Waiting for the OAuth 2.0 authorization server to give us the access token.");
+            let session_tokens = match oauth_client.wait_for_tokens(&auth_grant_response).await {
                 Ok(t) => t,
                 Err(e) => {
                     // If we received an error, and it's one of the ones we should report to the
@@ -190,11 +192,11 @@ impl<'a> IntoFuture for LoginWithQrCode<'a> {
             };
             self.client.oidc().set_session_tokens(session_tokens);
 
-            // We only received an access token from the OIDC provider, we have no clue who
-            // we are, so we need to figure out our user ID now.
-            // TODO: This snippet is almost the same as the Oidc::finish_login_method(), why
-            // is that method even a public method and not called as part of the set session
-            // tokens method.
+            // We only received an access token from the OAuth 2.0 authorization server, we
+            // have no clue who we are, so we need to figure out our user ID
+            // now. TODO: This snippet is almost the same as the
+            // Oidc::finish_login_method(), why is that method even a public
+            // method and not called as part of the set session tokens method.
             trace!("Discovering our own user id.");
             let whoami_response =
                 self.client.whoami().await.map_err(QRCodeLoginError::UserIdDiscovery)?;
@@ -288,30 +290,26 @@ impl<'a> LoginWithQrCode<'a> {
         Ok(channel)
     }
 
-    async fn register_client(&self) -> Result<OidcClient, DeviceAuhorizationOidcError> {
-        // Let's figure out the OIDC issuer, this fetches the info from the homeserver.
-        let issuer = self
-            .client
-            .oidc()
+    async fn register_client(&self) -> Result<OauthClient, DeviceAuthorizationOauthError> {
+        let oidc = self.client.oidc();
+
+        // Let's figure out the OAuth 2.0 issuer, this fetches the info from the
+        // homeserver.
+        let issuer = oidc
             .fetch_authentication_issuer()
             .await
-            .map_err(DeviceAuhorizationOidcError::AuthenticationIssuer)?;
+            .map_err(DeviceAuthorizationOauthError::AuthenticationIssuer)?;
 
-        // Now we register the client with the OIDC provider.
+        // Now we register the client with the OAuth 2.0 authorization server.
         let registration_response =
-            self.client.oidc().register_client(&issuer, self.client_metadata.clone(), None).await?;
+            oidc.register_client(&issuer, self.client_metadata.clone(), None).await?;
 
         // We're now switching to the oauth2 crate, it has a bit of a strange API
         // where you need to provide the HTTP client in every call you make.
         let http_client = self.client.inner.http_client.clone();
+        let server_metadata = oidc.provider_metadata().await?;
 
-        OidcClient::new(
-            registration_response.client_id,
-            issuer,
-            http_client,
-            registration_response.client_secret.as_deref(),
-        )
-        .await
+        OauthClient::new(registration_response.client_id, &server_metadata, http_client)
     }
 }
 
@@ -614,21 +612,26 @@ mod test {
         alice.send_json(message).await.unwrap();
     }
 
-    async fn mock_oidc_provider(server: &MockServer, token_response: ResponseTemplate) {
+    async fn mock_oauth_authorization_server(
+        server: &MockServer,
+        token_response: ResponseTemplate,
+    ) {
         Mock::given(method("GET"))
             .and(path("/_matrix/client/unstable/org.matrix.msc2965/auth_issuer"))
             .respond_with(ResponseTemplate::new(200).set_body_json(json!({
                 "issuer": server.uri(),
 
             })))
             .expect(1)
+            .named("auth_issuer")
             .mount(server)
             .await;
 
         Mock::given(method("GET"))
             .and(path("/.well-known/openid-configuration"))
             .respond_with(ResponseTemplate::new(200).set_body_json(open_id_configuration(server)))
             .expect(1..)
+            .named("server_metadata")
             .mount(server)
             .await;
 
@@ -639,26 +642,29 @@ mod test {
                 "client_id_issued_at": 1716375696
             })))
             .expect(1)
+            .named("registration_endpoint")
             .mount(server)
             .await;
 
         Mock::given(method("GET"))
             .and(path("/oauth2/keys.json"))
             .respond_with(ResponseTemplate::new(200).set_body_json(keys_json()))
-            .expect(1)
+            .named("jwks")
             .mount(server)
             .await;
 
         Mock::given(method("POST"))
             .and(path("/oauth2/device"))
             .respond_with(ResponseTemplate::new(200).set_body_json(device_code(server)))
             .expect(1)
+            .named("device_authorization_endpoint")
             .mount(server)
             .await;
 
         Mock::given(method("POST"))
             .and(path("/oauth2/token"))
             .respond_with(token_response)
+            .named("token_endpoint")
             .mount(server)
             .await;
     }
@@ -669,7 +675,8 @@ mod test {
         let rendezvous_server = MockedRendezvousServer::new(&server, "abcdEFG12345").await;
         let (sender, receiver) = tokio::sync::oneshot::channel();
 
-        mock_oidc_provider(&server, ResponseTemplate::new(200).set_body_json(token())).await;
+        mock_oauth_authorization_server(&server, ResponseTemplate::new(200).set_body_json(token()))
+            .await;
 
         Mock::given(method("GET"))
             .and(path("/_matrix/client/r0/account/whoami"))
@@ -764,7 +771,7 @@ mod test {
         let rendezvous_server = MockedRendezvousServer::new(&server, "abcdEFG12345").await;
         let (sender, receiver) = tokio::sync::oneshot::channel();
 
-        mock_oidc_provider(&server, token_response).await;
+        mock_oauth_authorization_server(&server, token_response).await;
 
         Mock::given(method("GET"))
             .and(path("/_matrix/client/r0/account/whoami"))
@@ -830,7 +837,7 @@ mod test {
         )
         .await;
 
-        assert_let!(Err(QRCodeLoginError::Oidc(e)) = result);
+        assert_let!(Err(QRCodeLoginError::Oauth(e)) = result);
         assert_eq!(
             e.as_request_token_error(),
             Some(&DeviceCodeErrorResponseType::AccessDenied),
@@ -848,7 +855,7 @@ mod test {
         )
         .await;
 
-        assert_let!(Err(QRCodeLoginError::Oidc(e)) = result);
+        assert_let!(Err(QRCodeLoginError::Oauth(e)) = result);
         assert_eq!(
             e.as_request_token_error(),
             Some(&DeviceCodeErrorResponseType::ExpiredToken),