feat(auth): OIDC phase 0+1 — discovery, flow detection, client config

Toward MSC3861/MSC2965 next-gen-auth login (P4-6), client-only.
- cs-api.ts: type the stable `m.authentication` well-known key + getOidcIssuer()
  (stable preferred over the unstable msc2965 key; {} for non-OIDC servers).
- useParsedLoginFlows.ts: getOidcCompatibilityFlag() (MSC3824 oauth_aware_preferred
  / delegated_oidc_compatibility) as a secondary OIDC hint.
- New pages/auth/oidc/oidcConfig.ts: dynamic-registration client metadata + the
  non-hash callback URL (redirect_uris can't contain a fragment).
- paths.ts: OIDC_CALLBACK_PATH.
- 8 unit tests for the pure helpers.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-30 15:51:23 -04:00
parent 30d0331174
commit 98ad5674a8
6 changed files with 173 additions and 1 deletions
+25
View File
@@ -20,6 +20,13 @@ export type AutoDiscoveryInfo = Record<string, unknown> & {
'm.identity_server'?: {
base_url: string;
};
// v1.15 stable next-gen-auth (MSC2965) discovery key — emitted by servers that
// delegate to a Matrix Authentication Service (e.g. mozilla.org). The
// `org.matrix.msc2965.authentication` key below is the unstable predecessor.
'm.authentication'?: {
issuer?: string;
account?: string;
};
'org.matrix.msc2965.authentication'?: {
account?: string;
issuer?: string;
@@ -32,6 +39,24 @@ export type AutoDiscoveryInfo = Record<string, unknown> & {
];
};
/**
* Resolve the OIDC issuer (and account-management URL) advertised by a homeserver
* in its `.well-known/matrix/client`, preferring the v1.15 stable
* `m.authentication` key over the unstable `org.matrix.msc2965.authentication`.
* Returns `{}` when the server is not OIDC-native (e.g. matrix.lotusguild.org).
*/
export const getOidcIssuer = (info: AutoDiscoveryInfo): { issuer?: string; account?: string } => {
const stable = info['m.authentication'];
if (stable && typeof stable.issuer === 'string') {
return { issuer: stable.issuer, account: stable.account };
}
const unstable = info['org.matrix.msc2965.authentication'];
if (unstable && typeof unstable.issuer === 'string') {
return { issuer: unstable.issuer, account: unstable.account };
}
return {};
};
export const autoDiscovery = async (
request: typeof fetch,
server: string,