Draft: SSO login (OAuth 2.0 + OpenID Connect) #1012
2 changed files with 51 additions and 16 deletions
|
|
@ -11,7 +11,7 @@ use tracing::warn;
|
|||
mod proxy;
|
||||
mod oidc;
|
||||
|
||||
use self::{oidc::ProviderConfig, proxy::ProxyConfig};
|
||||
use self::{oidc::OidcConfig, proxy::ProxyConfig};
|
||||
|
||||
#[derive(Clone, Debug, Deserialize)]
|
||||
pub struct Config {
|
||||
|
|
@ -83,7 +83,7 @@ pub struct Config {
|
|||
#[serde(default)]
|
||||
pub macaroon_key: Option<String>,
|
||||
#[serde(default)]
|
||||
pub oidc: Vec<ProviderConfig>,
|
||||
pub oidc: OidcConfig,
|
||||
|
||||
pub emergency_password: Option<String>,
|
||||
|
||||
|
|
|
|||
|
|
@ -1,31 +1,66 @@
|
|||
use ruma::{serde::AsRefStr, OwnedMxcUri};
|
||||
use serde::Deserialize;
|
||||
|
||||
pub type OidcConfig = Vec<ProviderConfig>;
|
||||
|
||||
#[derive(Clone, Debug, Deserialize)]
|
||||
pub struct ProviderConfig {
|
||||
// Must be unique, used to distinguish OPs
|
||||
pub id: String,
|
||||
pub name: String,
|
||||
pub icon: Option<String>,
|
||||
pub name: Option<String>,
|
||||
pub icon: Option<OwnedMxcUri>,
|
||||
|
||||
pub scopes: Vec<String>,
|
||||
// Base URL of the OpenID Provider
|
||||
pub issuer: url::Url,
|
||||
pub redirect_url: url::Url,
|
||||
// Always contains at least "openid"
|
||||
// "profile", "email" and "name" are useful to suggest an MXID
|
||||
pub scopes: Vec<String>,
|
||||
// PKCE provides dynamic client secrets
|
||||
// Should be enabled when `ClientAuthMethod` is `None`
|
||||
pub pkce: Option<bool>,
|
||||
|
||||
// pub discover: bool, ???
|
||||
// Allow existent accounts to login with OIDC
|
||||
pub allow_existing_users: bool,
|
||||
// Invalidate user sessions when the OP session expires
|
||||
pub backchannel_logout: bool,
|
||||
// Should be enabled when the authorization response does not contain userinfo
|
||||
pub userinfo_override: bool,
|
||||
// Should be enabled when the authorization response does not contain a unique subject claim
|
||||
subject_claim: Option<String>,
|
||||
|
||||
pub client: ClientConfig,
|
||||
pub endpoint: EndpointConfig,
|
||||
pub metadata: MetadataConfig,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Deserialize)]
|
||||
pub enum MetadataConfig {
|
||||
// Should be used for OPs supporting the OIDC Discovery endpoint
|
||||
Discoverable,
|
||||
Manual {
|
||||
authorization: Option<url::Url>,
|
||||
token: Option<url::Url>,
|
||||
userinfo: Option<url::Url>,
|
||||
jwk: Option<url::Url>,
|
||||
},
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Deserialize, AsRefStr)]
|
||||
pub enum ClientAuthMethod {
|
||||
None,
|
||||
// Provide the client combo in the Authorization header
|
||||
Basic,
|
||||
// Provide the client combo as in the POST request body
|
||||
Post,
|
||||
// Provide a JWT signed with client secret
|
||||
SharedJwt,
|
||||
// Provide a JWT signed with our own keypair (OP needs to know the public key)
|
||||
PrivateJwt,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Deserialize)]
|
||||
pub struct ClientConfig {
|
||||
pub id: String,
|
||||
pub secret: String,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Default, Deserialize)]
|
||||
pub struct EndpointConfig {
|
||||
pub authorization: Option<url::Url>,
|
||||
pub token: Option<url::Url>,
|
||||
pub userinfo: Option<url::Url>,
|
||||
// Mandatory for the following `ClientAuthMethod`s:
|
||||
// [`Basic`,`Post`,`SharedJwt`]
|
||||
pub secret: Option<String>,
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue