refactor(oidc): Remove support for ID tokens

ID tokens are a feature of OpenID Connect, we don't need them to support OAuth 2.0.

Signed-off-by: Kévin Commaille <[email protected]>

Author: zecakeh

bindings/matrix-sdk-ffi/src/client.rs

@@ -10,12 +10,7 @@ use matrix_sdk::{
     authentication::oidc::{
         registrations::{ClientId, OidcRegistrations},
         requests::account_management::AccountManagementActionFull,
-        types::{
-            registration::{
-                ClientMetadata, ClientMetadataVerificationError, VerifiedClientMetadata,
-            },
-            requests::Prompt as SdkOidcPrompt,
-        },
+        types::{registration::VerifiedClientMetadata, requests::Prompt as SdkOidcPrompt},
         OidcAuthorizationData, OidcSession,
     },
     event_cache::EventCacheError,
@@ -1613,19 +1608,11 @@ impl Session {
                         matrix_sdk::authentication::oidc::OidcSessionTokens {
                             access_token,
                             refresh_token,
-                            latest_id_token,
                         },
                     issuer,
                 } = api.user_session().context("Missing session")?;
                 let client_id = api.client_id().context("OIDC client ID is missing.")?.0.clone();
-                let client_metadata =
-                    api.client_metadata().context("OIDC client metadata is missing.")?.clone();
-                let oidc_data = OidcSessionData {
-                    client_id,
-                    client_metadata,
-                    latest_id_token: latest_id_token.map(|t| t.to_string()),
-                    issuer,
-                };
+                let oidc_data = OidcSessionData { client_id, issuer };
 
                 let oidc_data = serde_json::to_string(&oidc_data).ok();
                 Ok(Session {
@@ -1658,14 +1645,7 @@ impl TryFrom<Session> for AuthSession {
 
         if let Some(oidc_data) = oidc_data {
             // Create an OidcSession.
-            let oidc_data = serde_json::from_str::<OidcUnvalidatedSessionData>(&oidc_data)?
-                .validate()
-                .context("OIDC metadata validation failed.")?;
-            let latest_id_token = oidc_data
-                .latest_id_token
-                .map(TryInto::try_into)
-                .transpose()
-                .context("OIDC latest_id_token is invalid.")?;
+            let oidc_data = serde_json::from_str::<OidcSessionData>(&oidc_data)?;
 
             let user_session = matrix_sdk::authentication::oidc::UserSession {
                 meta: matrix_sdk::SessionMeta {
@@ -1675,16 +1655,12 @@ impl TryFrom<Session> for AuthSession {
                 tokens: matrix_sdk::authentication::oidc::OidcSessionTokens {
                     access_token,
                     refresh_token,
-                    latest_id_token,
                 },
                 issuer: oidc_data.issuer,
             };
 
-            let session = OidcSession {
-                client_id: ClientId(oidc_data.client_id),
-                metadata: oidc_data.client_metadata,
-                user: user_session,
-            };
+            let session =
+                OidcSession { client_id: ClientId(oidc_data.client_id), user: user_session };
 
             Ok(AuthSession::Oidc(session.into()))
         } else {
@@ -1707,63 +1683,31 @@ impl TryFrom<Session> for AuthSession {
 
 /// Represents a client registration against an OpenID Connect authentication
 /// issuer.
-#[derive(Serialize)]
+#[derive(Serialize, Deserialize)]
+#[serde(try_from = "OidcSessionDataDeHelper")]
 pub(crate) struct OidcSessionData {
     client_id: String,
-    client_metadata: VerifiedClientMetadata,
-    latest_id_token: Option<String>,
     issuer: String,
 }
 
-/// Represents an unverified client registration against an OpenID Connect
-/// authentication issuer. Call `validate` on this to use it for restoration.
 #[derive(Deserialize)]
-#[serde(try_from = "OidcUnvalidatedSessionDataDeHelper")]
-pub(crate) struct OidcUnvalidatedSessionData {
+struct OidcSessionDataDeHelper {
     client_id: String,
-    client_metadata: ClientMetadata,
-    latest_id_token: Option<String>,
-    issuer: String,
-}
-
-impl OidcUnvalidatedSessionData {
-    /// Validates the data so that it can be used.
-    fn validate(self) -> Result<OidcSessionData, ClientMetadataVerificationError> {
-        Ok(OidcSessionData {
-            client_id: self.client_id,
-            client_metadata: self.client_metadata.validate()?,
-            latest_id_token: self.latest_id_token,
-            issuer: self.issuer,
-        })
-    }
-}
-
-#[derive(Deserialize)]
-struct OidcUnvalidatedSessionDataDeHelper {
-    client_id: String,
-    client_metadata: ClientMetadata,
-    latest_id_token: Option<String>,
     issuer_info: Option<AuthenticationServerInfo>,
     issuer: Option<String>,
 }
 
-impl TryFrom<OidcUnvalidatedSessionDataDeHelper> for OidcUnvalidatedSessionData {
+impl TryFrom<OidcSessionDataDeHelper> for OidcSessionData {
     type Error = String;
 
-    fn try_from(value: OidcUnvalidatedSessionDataDeHelper) -> Result<Self, Self::Error> {
-        let OidcUnvalidatedSessionDataDeHelper {
-            client_id,
-            client_metadata,
-            latest_id_token,
-            issuer_info,
-            issuer,
-        } = value;
+    fn try_from(value: OidcSessionDataDeHelper) -> Result<Self, Self::Error> {
+        let OidcSessionDataDeHelper { client_id, issuer_info, issuer } = value;
 
         let issuer = issuer
             .or(issuer_info.map(|info| info.issuer))
             .ok_or_else(|| "missing field `issuer`".to_owned())?;
 
-        Ok(Self { client_id, client_metadata, latest_id_token, issuer })
+        Ok(Self { client_id, issuer })
     }
 }
 

crates/matrix-sdk/src/authentication/oidc/backend/mock.rs

@@ -29,7 +29,6 @@ use mas_oidc_client::{
         iana::oauth::OAuthTokenTypeHint,
         oidc::{ProviderMetadataVerificationError, VerifiedProviderMetadata},
         registration::{ClientRegistrationResponse, VerifiedClientMetadata},
-        IdToken,
     },
 };
 use url::Url;
@@ -118,7 +117,6 @@ impl OidcBackend for MockImpl {
         &self,
         _provider_metadata: VerifiedProviderMetadata,
         _credentials: ClientCredentials,
-        _metadata: VerifiedClientMetadata,
         _auth_code: AuthorizationCode,
         _validation_data: AuthorizationValidationData,
     ) -> Result<OidcSessionTokens, OidcError> {
@@ -158,9 +156,7 @@ impl OidcBackend for MockImpl {
         &self,
         _provider_metadata: VerifiedProviderMetadata,
         _credentials: ClientCredentials,
-        _metadata: &VerifiedClientMetadata,
         refresh_token: String,
-        _latest_id_token: Option<IdToken<'static>>,
     ) -> Result<RefreshedSessionTokens, OidcError> {
         if Some(refresh_token) != self.expected_refresh_token {
             Err(OidcError::Oidc(OidcClientError::TokenRefresh(TokenRefreshError::Token(

crates/matrix-sdk/src/authentication/oidc/backend/mod.rs

@@ -23,7 +23,6 @@ use mas_oidc_client::{
         iana::oauth::OAuthTokenTypeHint,
         oidc::VerifiedProviderMetadata,
         registration::{ClientRegistrationResponse, VerifiedClientMetadata},
-        IdToken,
     },
 };
 use url::Url;
@@ -58,7 +57,6 @@ pub(super) trait OidcBackend: std::fmt::Debug + Send + Sync {
         &self,
         provider_metadata: VerifiedProviderMetadata,
         credentials: ClientCredentials,
-        metadata: VerifiedClientMetadata,
         auth_code: AuthorizationCode,
         validation_data: AuthorizationValidationData,
     ) -> Result<OidcSessionTokens, OidcError>;
@@ -67,9 +65,7 @@ pub(super) trait OidcBackend: std::fmt::Debug + Send + Sync {
         &self,
         provider_metadata: VerifiedProviderMetadata,
         credentials: ClientCredentials,
-        metadata: &VerifiedClientMetadata,
         refresh_token: String,
-        latest_id_token: Option<IdToken<'static>>,
     ) -> Result<RefreshedSessionTokens, OidcError>;
 
     async fn revoke_token(

crates/matrix-sdk/src/authentication/oidc/backend/server.rs

@@ -21,11 +21,9 @@ use chrono::Utc;
 use http::StatusCode;
 use mas_oidc_client::{
     http_service::HttpService,
-    jose::jwk::PublicJsonWebKeySet,
     requests::{
         authorization_code::{access_token_with_authorization_code, AuthorizationValidationData},
         discovery::{discover, insecure_discover},
-        jose::{fetch_jwks, JwtVerificationData},
         refresh_token::refresh_access_token,
         registration::register_client,
         revocation::revoke_token,
@@ -35,7 +33,6 @@ use mas_oidc_client::{
         iana::oauth::OAuthTokenTypeHint,
         oidc::{ProviderMetadata, ProviderMetadataVerificationError, VerifiedProviderMetadata},
         registration::{ClientRegistrationResponse, VerifiedClientMetadata},
-        IdToken,
     },
 };
 use oauth2::{AsyncHttpClient, HttpClientError, HttpRequest, HttpResponse};
@@ -66,14 +63,6 @@ impl OidcServer {
     fn http_service(&self) -> HttpService {
         HttpService::new(self.http_client().clone())
     }
-
-    /// Fetch the OpenID Connect JSON Web Key Set at the given URI.
-    ///
-    /// Returns an error if the client registration was not restored, or if an
-    /// error occurred when fetching the data.
-    async fn fetch_jwks(&self, uri: &Url) -> Result<PublicJsonWebKeySet, OidcError> {
-        fetch_jwks(&self.http_service(), uri).await.map_err(Into::into)
-    }
 }
 
 #[async_trait::async_trait]
@@ -138,26 +127,16 @@ impl OidcBackend for OidcServer {
         &self,
         provider_metadata: VerifiedProviderMetadata,
         credentials: ClientCredentials,
-        metadata: VerifiedClientMetadata,
         auth_code: AuthorizationCode,
         validation_data: AuthorizationValidationData,
     ) -> Result<OidcSessionTokens, OidcError> {
-        let jwks = self.fetch_jwks(provider_metadata.jwks_uri()).await?;
-
-        let id_token_verification_data = JwtVerificationData {
-            issuer: provider_metadata.issuer(),
-            jwks: &jwks,
-            client_id: &credentials.client_id().to_owned(),
-            signing_algorithm: metadata.id_token_signed_response_alg(),
-        };
-
-        let (response, id_token) = access_token_with_authorization_code(
+        let (response, _) = access_token_with_authorization_code(
             &self.http_service(),
             credentials.clone(),
             provider_metadata.token_endpoint(),
             auth_code.code,
             validation_data,
-            Some(id_token_verification_data),
+            None,
             Utc::now(),
             &mut rng()?,
         )
@@ -166,35 +145,23 @@ impl OidcBackend for OidcServer {
         Ok(OidcSessionTokens {
             access_token: response.access_token,
             refresh_token: response.refresh_token,
-            latest_id_token: id_token,
         })
     }
 
     async fn refresh_access_token(
         &self,
         provider_metadata: VerifiedProviderMetadata,
         credentials: ClientCredentials,
-        metadata: &VerifiedClientMetadata,
         refresh_token: String,
-        latest_id_token: Option<IdToken<'static>>,
     ) -> Result<RefreshedSessionTokens, OidcError> {
-        let jwks = self.fetch_jwks(provider_metadata.jwks_uri()).await?;
-
-        let id_token_verification_data = JwtVerificationData {
-            issuer: provider_metadata.issuer(),
-            jwks: &jwks,
-            client_id: &credentials.client_id().to_owned(),
-            signing_algorithm: &metadata.id_token_signed_response_alg().clone(),
-        };
-
         refresh_access_token(
             &self.http_service(),
             credentials,
             provider_metadata.token_endpoint(),
             refresh_token,
             None,
-            Some(id_token_verification_data),
-            latest_id_token.as_ref(),
+            None,
+            None,
             Utc::now(),
             &mut rng()?,
         )
@@ -285,7 +252,6 @@ impl OidcBackend for OidcServer {
         let tokens = OidcSessionTokens {
             access_token: response.access_token().secret().to_owned(),
             refresh_token: response.refresh_token().map(|t| t.secret().to_owned()),
-            latest_id_token: None,
         };
 
         Ok(tokens)