From 0b307037e082fd35c238db7bfa492b5e23ff7cac Mon Sep 17 00:00:00 2001 From: Jared Vititoe Date: Tue, 30 Jun 2026 16:13:40 -0400 Subject: [PATCH] docs(todo): P4-6 OIDC client-side built, awaiting live verification Co-Authored-By: Claude Opus 4.8 --- LOTUS_TODO.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/LOTUS_TODO.md b/LOTUS_TODO.md index 41461ffc8..309b281a0 100644 --- a/LOTUS_TODO.md +++ b/LOTUS_TODO.md @@ -241,14 +241,20 @@ Features: --- -### [ ] P4-6 · OIDC / SSO Next-Gen Auth (MSC3861) (EXTREME COMPLEXITY, LOW PRIORITY) +### [~] P4-6 · OIDC / SSO Next-Gen Auth (MSC3861) — CLIENT-SIDE BUILT, awaiting live verification -**Spec:** MSC3861, merged Matrix spec v1.15. Uses Matrix Authentication Service (MAS). -**Context:** ~80% of homeserver users have LLDAP/Authelia/SSO accounts. SSO is currently enabled on `matrix.lotusguild.org` but accounts are not yet linked. This would allow users to log in via their SSO credentials. -**What:** OAuth 2.0 / OIDC login flow, token refresh, account management page linking Matrix identity to SSO identity. -**EXTREME COMPLEXITY** — requires: MAS deployment/configuration on the homeserver, significant auth flow changes in the client, token refresh handling, session management overhaul. -**[SERVER CHECK]** — Before any client work, audit whether MAS is already deployed on `compute-storage-01`. Check: `pct exec 151 -- systemctl status matrix-authentication-service` or similar. -**Complexity:** Extreme. Multi-sprint project. Plan separately. +**Spec:** MSC3861 / MSC2965, Matrix spec v1.15. OAuth2-native auth via a Matrix Authentication Service (MAS). +**Scope decision (2026-06):** CLIENT-ONLY. We implemented OIDC login _in the Lotus client_ so it can sign into next-gen homeservers (mozilla.org, eventually matrix.org). We deliberately did **not** convert lotusguild's own Synapse to MAS (no account migration; lotusguild keeps password + legacy Authelia SSO). +**Built (matrix-js-sdk already ships the OIDC API; this was wiring):** + +- Discovery: `cs-api.ts` `getOidcIssuer()` (stable `m.authentication` + msc2965). Flow hint: `useParsedLoginFlows` `getOidcCompatibilityFlag()` (MSC3824). +- Login: `pages/auth/oidc/{oidcConfig,oidcLoginUtil,oidcState}.ts` (dynamic registration + cache, PKCE authorize), `login/OidcLogin.tsx`, issuer-gated `Login.tsx`. +- Callback: `oidc/OidcCallback.tsx` + `App.tsx` short-circuit (non-hash redirect path). +- Session/refresh: `state/sessions.ts` OIDC fields, `client/{oidcTokenRefresher,oidcLogout}.ts`, `initMatrix.ts` wiring. +- Account mgmt: `settings/account/OidcManageAccount.tsx`. +- 13 unit tests (discovery/flow/session/cache/callback parsing). All gates green. + **Awaiting verification (needs a real MSC3861 server — lotusguild is NOT one):** deploy + log into **mozilla.org** (requires adding mozilla to the deployed `config.json` homeserverList + its domains to the CSP `connect-src`/`img-src` — see below), OR run a local `matrix-authentication-service` + Synapse `msc3861` dev loop. + **To enable the mozilla.org test:** add to `matrix/cinny/config.json` homeserverList `"mozilla.org"`, and to the nginx CSP `connect-src`/`img-src`: `https://mozilla.org https://mozilla.modular.im https://chat.mozilla.org https://vector.im`. ---