FFI: Add support for OIDC login hints

[pixlwave]

This PR makes 2 changes:

• Add a generic login_hint method to the OAuth URL builder (see Forward the login_hint upstream. element-hq/matrix-authentication-service#4512 for more context).
• Expose the generic login_hint on the FFI's url_for_oidc method.

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 3 lines in your changes missing coverage. Please review.

Project coverage is 85.85%. Comparing base (b5b2450) to head (36c7747).
Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
...-sdk/src/authentication/oauth/auth_code_builder.rs	0.00%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5012      +/-   ##
==========================================
- Coverage   85.87%   85.85%   -0.02%     
==========================================
  Files         325      325              
  Lines       35853    35856       +3     
==========================================
- Hits        30787    30784       -3     
- Misses       5066     5072       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[poljar]

Hmm, this overwrites whatever we set with user_id_hint(), we should mention this.

Out of interest, what will you set as the hint?

[pixlwave]

Good point, I've added the same The following methods are mutually exclusive line that we use in the client builder.

It will likely be an email address but it depends on the upstream provider, we would pass through whatever is given to us without modifying it. The use case is an organisation creating provisioning links like https://app.example.com/?server_name=example.org&login_hint=alice where their upstream provider knows how to handle alice as a hint.

There are docs here: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

[poljar]

Ah makes sense. Can we perhaps more explicitly mention this example use-case and link to these docs?

[pixlwave]

Yep makes sense, done in 079285d

[poljar]

Nice, thanks.

[poljar]

Ah, the CI isn't happy yet.

[pixlwave]

I don't understand what the failure is:

❌ TestAliceBobEncryptionWorks/{rust_hs1}|{rust_hs1} (0s)
  2025/05/07 15:07:48 Sharing [SERVER_NAME=hs1 SYNAPSE_COMPLEMENT_DATABASE=sqlite] host environment variables with container
      test_package.go:183: CreateDirtyDeployment failed: CreateDirtyServer: Failed to deploy image homeserver : Error response from daemon: Conflict. The container name "/complement_crypto_dirty_hs1" is already in use by container "fe7d8290369fd8f61878229944b863e7b67ab074c1f6bfb67228ed36e9945b1c". You have to remove (or rename) that container to be able to reuse that name.

[pixlwave]

Ah seems like this is hitting other PRs and the fix is here: matrix-org/complement-crypto#174 matrix-org/complement-crypto#175

[MatMaul]

Thanks a lot for that and the corresponding bits in MAS, you beat us to it by a week or 2 I believe :)