matrix-js-sdk requires `.well-known/openid-configuration` endpoint to log in with OAuth

[gingershaped]

While working on implementing support for OAuth login in Continuwuity, I found that the matrix-js-sdk sends a request to https://<issuer>/.well-known/openid-configuration before opening the authorization_endpoint, performed by this call to createSigninRequest which calls getAuthorizationEndpoint in oidc-client-ts. This behavior is described in RFC 8414 but is not required by the Matrix specification, which has a dedicated endpoint for fetching this configuration. (MAS responds to this well-known URL with the same response as the Matrix-specific discovery endpoint.) I would expect the SDK to only use the Matrix-specific discovery endpoint instead of also sending requests to the RFC 8414 endpoint.

[t3chguy]

Related element-hq/element-web#32617

[t3chguy]

Sadly this one won't be fixed as quickly as your other report, we're not looking at moving away from the library at this time.

[gingershaped]

That's a bit unfortunate -- Element completely refuses to log in if this endpoint isn't implemented, which is surprising behavior for a flagship Matrix client built off a SDK that presumably intends to be spec-compliant.

[t3chguy]

The js-sdk implementation is based on earlier MSC efforts which just referenced RFCs more directly. Switching out the underlying lib isn't something on the roadmap atm as it doesn't intersect with other existing projects. Contributions welcome

[gingershaped]

With all due respect, I don't think that the contents of earlier MSCs should have much bearing on the current behavior of the SDK. If the SDK completely refuses to log in without an unspecified endpoint, that endpoint either needs to be added to the Matrix specification, or the SDK needs to be changed to not require it, which is the responsibility of the maintainers. Server implementers shouldn't need to look through the code of a dependency to figure out exactly what magic is needed to get the SDK to work properly.

[t3chguy]

The JS SDK makes no claims to support Matrix Spec v1.18 which added the OIDC APIs you are referencing.

https://github.com/matrix-org/matrix-js-sdk/blob/develop/src/version-support.ts#L26-L40

The OIDC support in the SDK is marked as @experimental.

matrix-js-sdk/src/oidc/authorize.ts

Line 128 in 69985ee

* @experimental

[gingershaped]

Just to make sure I'm understanding correctly: your position is that Element Web is using an experimental "OIDC" API, and not the OAuth API that's in the spec? I find that interesting given that Element Web is cited as an implementation of MSC2965, which specifies how authorization server metadata is discovered and doesn't mention .well-known/openid-configuration except as a possible alternative approach.

[t3chguy]

Just to make sure I'm understanding correctly: your position is that Element Web is using an experimental "OIDC" API, and not the OAuth API that's in the spec?

It is open source, it is the position the code is in as it is checked in today

I find that interesting given that Element Web matrix-org/matrix-spec-proposals#2965 (comment) as an implementation of MSC2965, which specifies how authorization server metadata is discovered and doesn't mention .well-known/openid-configuration except as a possible alternative approach.

That would have likely happened earlier in the MSC when openid-configuration was required https://github.com/sandhose/matrix-spec-proposals/blob/e9e3ee19be70327fde44154b021b667a5250b622/proposals/2965-oidc-discovery.md#get-auth_issuer

The MSC should have removed it when it had drastic changes made.

[gingershaped]

It is open source, it is the position the code is in as it is checked in today

Forgive me if I'm not understanding, but I'm not sure how the code being open-source is relevant here. If it doesn't implement the OAuth API, then it doesn't implement the OAuth API.

The MSC should have removed it when it had drastic changes made.

I'm assuming "it" refers to the matrix-js-sdk, and that you're saying the matrix-js-sdk doesn't implement that MSC (and by extension doesn't implement the OAuth API)?

[t3chguy]

Forgive me if I'm not understanding, but I'm not sure how the code being open-source is relevant here. If it doesn't implement the OAuth API, then it doesn't implement the OAuth API.

To your earlier comment

your position is that Element Web is using an experimental "OIDC" API, and not the OAuth API that's in the spec?

It isn't my position, it is what the code does, it being open source means you can assert that for yourself.

I'm assuming "it" refers to the matrix-js-sdk, and that you're saying the matrix-js-sdk doesn't implement that MSC (and by extension doesn't implement the OAuth API)?

No, I mean the MSC, when it had major changes made which removed openid-configuration they should have checked that all implementations are still valid for that MSC for them to be listed.