OIDC: Log in

[andybalaam]

Summary

Support login via native OIDC in Element Web. Refer to https://areweoidcyet.com/client-implementation-guide/ for guidance. (You will need to find out what OIDC is before you can understand it.)

You will almost certainly need to break this story up into smaller parts before implementing it.

Background

Discovering homeserver support

Currently, Element Web is an "OIDC-aware" client, which means it has some slight alterations to its existing SSO login flow that make OIDC work a little better, but it doesn't take full advantage of OIDC.

Currently, to discover that a homeserver supports OIDC, we examine the list of available login flows (see Login.ts) and if we find a OIDC one masquerading as an SSO flow, we only display that.

Instead of this, before we ask the homeserver what flows it supports, we should check the .well-known info we have back from the homeserver, and if it contains the m.authentication section with the info we need as described in MSC2965, then use that to find what we need.

This means we must fetch another .well-known file from the issuer we got from the m.authentication server, and look inside that for the authorization_endpoint. Now, I (@andybalaam) think we have what we need to delegate directly to the authorization endpoint without asking the homeserver what auth flows it supports. This means we can jump directly to redirecting to that endpoint, somewhere near BasePlatform.ts startSingleSignOn.

The guiding MSC for this work is MSC2964, but the specifics you need here are in MSC2965.

I suspect the changes will be limited to Login.ts, BasePlatform.ts and nearby code. (But I am not certain -- @andybalaam)

This part corresponds to the first Requirement of OIDC Native clients - "Discovery of OP in /.well-known/matrix/client". Refer to the Client Implementation Guide for more info. It may also correspond to the second part - I'm not sure which Web UI is meant there - the login one or something else (e.g. signup or administration).

Dynamic and static client registration

We should support both dynamic and static client registration. See "Discovery and client registration" in https://areweoidcyet.com/client-implementation-guide/

Subtasks

Beta Give feedback

1. Add a config flag for use during development
2. OIDC: Determine homeserver is OIDC enabled vector-im/element-web#25466
   A-Authentication T-Enhancement Z-Labs +3
   
3. OIDC: Client registration with OP vector-im/element-web#25467
   A-Authentication A-OIDC T-Enhancement Z-Labs +4
   
4. OIDC: Attempt dynamic registration with OP vector-im/element-web#25468
   A-Authentication A-OIDC T-Enhancement Z-Labs +4
   
5. OIDC: Always lookup client well-known during server selection vector-im/element-web#25472
   A-Authentication A-OIDC T-Enhancement Z-Labs +4
   
6. OIDC: Make authorization request vector-im/element-web#25574
   A-Authentication A-OIDC T-Enhancement Z-Labs +4
   
7. OIDC: handle redirection to fragment after login vector-im/element-web#25656
   A-Authentication A-Login A-OIDC T-Enhancement +4
   
8. Document new config options in EW
9. OIDC: Get accessToken and complete login vector-im/element-web#25657
   A-Authentication A-Login A-OIDC T-Enhancement +4
   
10. OIDC: Display user friendly errors #25665
    A-Authentication A-Login A-OIDC T-Enhancement +4