matrix-org · kilimnik · Jan 11, 2025 · Jan 11, 2025 · Jan 11, 2025 · Jan 11, 2025
@@ -0,0 +1,88 @@
+// Copyright 2025 The Matrix.org Foundation C.I.C.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Common modules useful when using OIDC as the auththentication mechanism.
+
+pub(crate) mod oidc_client;
+
+use as_variant::as_variant;
+use openidconnect::core::CoreErrorResponseType;
+pub use openidconnect::{
+    ConfigurationError, DeviceCodeErrorResponseType, DiscoveryError, HttpClientError,
+    RequestTokenError, StandardErrorResponse,
+};
+use thiserror::Error;
+
+use crate::{oidc, HttpError};
+
+/// Error type describing failures in the interaction between the device
+/// attempting to log in and the OIDC provider.
+#[derive(Debug, Error)]
+pub enum DeviceAuhorizationOidcError {
+    /// A generic OIDC error happened while we were attempting to register the
+    /// device with the OIDC provider.
+    #[error(transparent)]
+    Oidc(#[from] oidc::OidcError),
+
+    /// The issuer URL failed to be parsed.
+    #[error(transparent)]
+    InvalidIssuerUrl(#[from] url::ParseError),
+
+    /// There was an error with our device configuration right before attempting
+    /// to wait for the access token to be issued by the OIDC provider.
+    #[error(transparent)]
+    Configuration(#[from] ConfigurationError),
+
+    /// An error happened while we attempted to discover the authentication
+    /// issuer URL.
+    #[error(transparent)]
+    AuthenticationIssuer(HttpError),
+
+    /// An error happened while we attempted to request a device authorization
+    /// from the OIDC provider.
+    #[error(transparent)]
+    DeviceAuthorization(
+        #[from]
+        RequestTokenError<
+            HttpClientError<reqwest::Error>,
+            StandardErrorResponse<CoreErrorResponseType>,
+        >,
+    ),
+
+    /// An error happened while waiting for the access token to be issued and
+    /// sent to us by the OIDC provider.
+    #[error(transparent)]
+    RequestToken(
+        #[from]
+        RequestTokenError<
+            HttpClientError<reqwest::Error>,
+            StandardErrorResponse<DeviceCodeErrorResponseType>,
+        >,
+    ),
+
+    /// An error happened during the discovery of the OIDC provider metadata.
+    #[error(transparent)]
+    Discovery(#[from] DiscoveryError<HttpClientError<reqwest::Error>>),
+}
+
+impl DeviceAuhorizationOidcError {
+    /// If the [`DeviceAuhorizationOidcError`] is of the
+    /// [`DeviceCodeErrorResponseType`] error variant, return it.
+    pub fn as_request_token_error(&self) -> Option<&DeviceCodeErrorResponseType> {
+        let error = as_variant!(self, DeviceAuhorizationOidcError::RequestToken)?;
+        let request_token_error = as_variant!(error, RequestTokenError::ServerResponse)?;
+
+        Some(request_token_error.error())
+    }
+}
@@ -87,13 +87,14 @@ pub type OidcClientInner<
 /// An OIDC specific HTTP client.
 ///
 /// This is used to communicate with the OIDC provider exclusively.
-pub(super) struct OidcClient {
+#[derive(Debug)]
+pub(crate) struct OidcClient {
     inner: OidcClientInner,
     http_client: HttpClient,
 }
 
 impl OidcClient {
-    pub(super) async fn new(
+    pub(crate) async fn new(
         client_id: String,
         issuer_url: String,
         http_client: HttpClient,
@@ -120,20 +121,22 @@ impl OidcClient {
         Ok(OidcClient { inner: oidc_client, http_client })
     }
 
-    pub(super) async fn request_device_authorization(
+    pub(crate) async fn request_device_authorization(
         &self,
         device_id: Curve25519PublicKey,
+        custom_scopes: Option<Vec<ScopeToken>>,
     ) -> Result<CoreDeviceAuthorizationResponse, DeviceAuhorizationOidcError> {
-        let scopes = [
-            ScopeToken::Openid,
-            ScopeToken::MatrixApi(MatrixApiScopeToken::Full),
-            ScopeToken::try_with_matrix_device(device_id.to_base64()).expect(
-                "We should be able to create a scope token from a \
+        let scopes = custom_scopes
+            .unwrap_or(vec![
+                ScopeToken::Openid,
+                ScopeToken::MatrixApi(MatrixApiScopeToken::Full),
+                ScopeToken::try_with_matrix_device(device_id.to_base64()).expect(
+                    "We should be able to create a scope token from a \
                  Curve25519 public key encoded as base64",
-            ),
-        ]
-        .into_iter()
-        .map(|scope| Scope::new(scope.to_string()));
+                ),
+            ])
+            .into_iter()
+            .map(|scope| Scope::new(scope.to_string()));
 
         let details: CoreDeviceAuthorizationResponse = self
             .inner
@@ -145,7 +148,7 @@ impl OidcClient {
         Ok(details)
     }
 
-    pub(super) async fn wait_for_tokens(
+    pub(crate) async fn wait_for_tokens(
         &self,
         details: &CoreDeviceAuthorizationResponse,
     ) -> Result<OidcSessionTokens, DeviceAuhorizationOidcError> {