fix(oidc): return M_UNRECOGNIZED when OIDC server is not configured#421
Open
f3nr1l wants to merge 1 commit intomatrix-construct:mainfrom
Open
fix(oidc): return M_UNRECOGNIZED when OIDC server is not configured#421f3nr1l wants to merge 1 commit intomatrix-construct:mainfrom
f3nr1l wants to merge 1 commit intomatrix-construct:mainfrom
Conversation
`/_matrix/client/v1/auth_metadata` and `/_matrix/client/v1/auth_issuer`
currently propagate the `services.oauth.get_server()` error as-is when
OAuth/OIDC is disabled, which surfaces to clients as a generic
`M_NOT_FOUND`.
Element Web (>= 1.12, via matrix-js-sdk's
`buildValidatedConfigFromDiscovery`) only treats MSC2965 discovery as
"not supported" when it receives `404 + M_UNRECOGNIZED`. Any other
error — including `404 + M_NOT_FOUND` — is treated as a fatal
misconfiguration and the login screen shows "<server> is
misconfigured".
Match the behavior of the router's default `not_found` handler: when
no OAuth server is configured, return
`404 + M_UNRECOGNIZED ("OIDC server not configured")` from both
endpoints. This lets password-only homeservers work out of the box
with recent Element Web builds.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When OAuth/OIDC is not configured,
/_matrix/client/v1/auth_metadataand/_matrix/client/v1/auth_issuercurrently propagate theservices.oauth.get_server()error as-is, which surfaces to clients as a genericM_NOT_FOUND.Element Web (>= 1.12, via matrix-js-sdk's
buildValidatedConfigFromDiscovery) only treats MSC2965 discovery as "not supported" when it receives404 + M_UNRECOGNIZED. Any other error — including404 + M_NOT_FOUND— is treated as a fatal misconfiguration and the login screen shows " is misconfigured".This PR makes both endpoints return
404 + M_UNRECOGNIZED ("OIDC server not configured")when no OAuth server is configured, matching the behavior of the router's defaultnot_foundhandler. Password-only homeservers then work out of the box with recent Element Web builds.Reproduction
login_with_password = trueand no[[global.identity_provider]]block.Changes
src/api/oidc/auth_metadata.rs— interceptget_server()error, returnError::Request(ErrorKind::Unrecognized, ..., StatusCode::NOT_FOUND).src/api/oidc/auth_issuer.rs— same fix.Tested on
Built from this branch, deployed on
matrix.altanet.fr(Tuwunel 1.6.0 + this patch). Element Web login flow, password auth, federation all nominal. Running for several days without regression.Notes
not_foundhandler insrc/router/router.rsalready returnsM_UNRECOGNIZEDfor unknown routes.