oauth2-types for clients
#313
Comments
|
This comment was originally posted by @sandhose at matrix-org/matrix-authentication-service#313 (comment).
That is really good to hear! I planned to do that anyway once I'm back (currently out of office until the 1st of august), so I would be glad to help you on that
We need OIDC 'client' features in MAS anyway at some point, because we will need to support upstream OPs (see #19).
For doing HTTP request, I would like to leverage Have you also looked at what's in the JOSE crate? It handles JWT-related stuff, including extracting and validating claims from JWTs. Another useful thing you might be interested in, is the certification suite from the OpenID foundation, which I found very useful for validating the 'server' (OP) implementation, and it also has a bunch of 'client' (RP) test suites. |
|
This comment was originally posted by @zecakeh at matrix-org/matrix-authentication-service#313 (comment).
Thanks! I won't hesitate to come to you if I have questions. Do you have a Matrix room where I could ask questions in a less formal way? My Matrix ID is @zecakeh:tedomum.net if you want to invite me (when you're back of course).
I'm not sure how that would look like. Do we create endpoints that implement a
Yes, it's very useful. I'm already using it to validate the claims of the received ID token.
Nice, when I'm confident enough in my implementation I'll definitely use that to validate it. Right now I've managed to proceed to the client registration and "login" and get the access token from MAS but my code is not really organized. As a first step, I'd like to improve types:
|
|
This comment was originally posted by @sandhose at matrix-org/matrix-authentication-service#313 (comment).
There is #matrix-auth:matrix.org for Matrix+OIDC related discussions
Something like this async fn token_exchange<S, ResBody>(client: &mut S) -> Result<(), Error>
where
S: tower::Service<http::Request<String>, Response = http::Response<ResBody>>,
ResBody: http_body::Body,
Error: From<ResBody::Error> + From<S::Error>,
{
// Build the request
let request = http::Request::builder()
.uri("https://example.com")
.body("{}".into())?;
// Send it
let response = client.call(request).await?;
// Do something with the response
let (parts, body) = response.into_parts();
let body = hyper::body::to_bytes(body).await?;
Ok(())
}and then use it like that let http = hyper::client::HttpConnector::new();
let https = hyper_rustls::HttpsConnectorBuilder::new()
.with_native_roots()
.https_or_http()
.enable_http1()
.enable_http2()
.wrap_connector(http);
let client = hyper::Client::builder().build(https);
let mut client = ServiceBuilder::new()
.layer(DecompressionLayer::new())
.layer(SetRequestHeaderLayer::overriding(
USER_AGENT,
"whatever/1.0",
))
.layer(ConcurrencyLimitLayer::new(10))
.layer(FollowRedirectLayer::new())
.layer(TimeoutLayer::new(Duration::from_secs(10)))
.service(client);
token_exchange(&mut client).await?;This allows the user to provide any kind of HTTP client, with any stack of tower layers, like to decompress, set the user agent, add a global timeout, inject/extract tracing informations, etc.) Of course, we would probably provide a default HTTP client with sane default to avoid some of this boilerplate for simpler use cases, but I like the flexibility of this approach.
I don't recall seeing that, do you have an example of this?
Right, I usually go with
Yeah, some stuff needs to be moved around a bit, it's not always clear where I need to put stuff. For that particular case, this code is really tied to some of Axum's traits, so it would need some refactoring to deal with a |
|
This comment was originally posted by @zecakeh at matrix-org/matrix-authentication-service#313 (comment).
Yes, for example the |
|
This comment was originally posted by @zecakeh at matrix-org/matrix-authentication-service#313 (comment). I'm closing this, with #347 merged, the types are ready for clients. |
This issue was originally created by @zecakeh at matrix-org/matrix-authentication-service#313.
I'm working on adding support for OIDC in the matrix-rust-sdk, at least as a PoC for now (so clients like ElementX could test it).
I've tested locally based on two crates:
openidconnect: it seems to work fine apart from a little incompatibility where it expects the OP to return the client metadata when dynamic registration is successful. It's a SHOULD in the OpenID Connect Dynamic Client Registration spec, so the crate should probably not require it.
this project's oauth2-types: I had to make a few modifications to be able to build some types that had private fields, but other than that it's pretty usable.
I preferred to work with oauth2-types even if everything needs to be done manually.
Is it planned for oauth2-types to have first class client support? I already see in the docs that it's mentioned it might be worth publishing this crate.
By first-class I mean integrating with http to build requests or extract responses for example. There could also be
clientvsserverfeatures, to improve compile time by only compiling what is necessary (e.g. for a client, a request doesn't need to be deserialized, and a response doesn't need to be serialized).The text was updated successfully, but these errors were encountered: