@@ -641,11 +641,49 @@ impl Oidc {
641641 self . management_url_from_provider_metadata ( metadata, action)
642642 }
643643
644+ /// Discover the authentication issuer and retrieve the
645+ /// [`VerifiedProviderMetadata`] using the GET `/auth_metadata` endpoint
646+ /// defined in [MSC2965].
647+ ///
648+ /// **Note**: This endpoint is deprecated.
649+ ///
650+ /// MSC2956: https://github.com/matrix-org/matrix-spec-proposals/pull/2965
651+ async fn fallback_discover (
652+ & self ,
653+ insecure : bool ,
654+ ) -> Result < VerifiedProviderMetadata , OauthDiscoveryError > {
655+ #[ allow( deprecated) ]
656+ let issuer =
657+ match self . client . send ( get_authentication_issuer:: msc2965:: Request :: new ( ) ) . await {
658+ Ok ( response) => response. issuer ,
659+ Err ( error)
660+ if error
661+ . as_client_api_error ( )
662+ . is_some_and ( |err| err. status_code == http:: StatusCode :: NOT_FOUND ) =>
663+ {
664+ return Err ( OauthDiscoveryError :: NotSupported ) ;
665+ }
666+ Err ( error) => return Err ( error. into ( ) ) ,
667+ } ;
668+
669+ if insecure {
670+ insecure_discover ( & self . http_service ( ) , & issuer) . await . map_err ( Into :: into)
671+ } else {
672+ discover ( & self . http_service ( ) , & issuer) . await . map_err ( Into :: into)
673+ }
674+ }
675+
644676 /// Fetch the OAuth 2.0 server metadata of the homeserver.
645677///
646678/// Returns an error if a problem occurred when fetching or validating the
647679/// metadata.
648680pub async fn provider_metadata ( & self ) -> Result < VerifiedProviderMetadata , OauthDiscoveryError > {
681+ let is_endpoint_unsupported = |error : & HttpError | {
682+ error
683+ . as_client_api_error ( )
684+ . is_some_and ( |err| err. status_code == http:: StatusCode :: NOT_FOUND )
685+ } ;
686+
649687 match self . client . send ( get_authorization_server_metadata:: msc2965:: Request :: new ( ) ) . await {
650688 Ok ( response) => {
651689 let metadata = response. metadata . deserialize_as :: < ProviderMetadata > ( ) ?;
@@ -662,38 +700,16 @@ impl Oidc {
662700 metadata. validate ( & issuer)
663701 } ;
664702
665- return Ok ( result. map_err ( error:: DiscoveryError :: Validation ) ?) ;
703+ Ok ( result. map_err ( error:: DiscoveryError :: Validation ) ?)
666704 }
667- Err ( error )
668- if error
669- . as_client_api_error ( )
670- . is_some_and ( |err| err . status_code == http :: StatusCode :: NOT_FOUND ) =>
671- {
672- // Fallback to OIDC discovery.
705+ // If the endpoint returns a 404, i.e. the server doesn't support the endpoint, attempt
706+ // to use the equivalent, but deprecated, endpoint.
707+ Err ( error ) if is_endpoint_unsupported ( & error ) => {
708+ // TODO: remove this fallback behavior when the metadata endpoint has wider
709+ // support.
710+ self . fallback_discover ( self . ctx ( ) . insecure_discover ) . await
673711 }
674- Err ( error) => return Err ( error. into ( ) ) ,
675- } ;
676-
677- // TODO: remove this fallback behavior when the metadata endpoint has wider
678- // support.
679- #[ allow( deprecated) ]
680- let issuer =
681- match self . client . send ( get_authentication_issuer:: msc2965:: Request :: new ( ) ) . await {
682- Ok ( response) => response. issuer ,
683- Err ( error)
684- if error
685- . as_client_api_error ( )
686- . is_some_and ( |err| err. status_code == http:: StatusCode :: NOT_FOUND ) =>
687- {
688- return Err ( OauthDiscoveryError :: NotSupported ) ;
689- }
690- Err ( error) => return Err ( error. into ( ) ) ,
691- } ;
692-
693- if self . ctx ( ) . insecure_discover {
694- insecure_discover ( & self . http_service ( ) , & issuer) . await . map_err ( Into :: into)
695- } else {
696- discover ( & self . http_service ( ) , & issuer) . await . map_err ( Into :: into)
712+ Err ( error) => Err ( error. into ( ) ) ,
697713 }
698714 }
699715
0 commit comments