docs(test): add OIDC/MSC3861 test section + local MAS dev loop
LOTUS_TESTING.md section N (N1-N6): OIDC login flow, session-persist-on-reload, token refresh, logout revocation, account-management link, and the non-OIDC regression check. Backed by dev/oidc-test/ — a runnable local Matrix Authentication Service + Synapse(msc3861) loop (compose skeleton, the Synapse experimental_features delta, and the public/config.json override) so the flow can be verified without a mozilla.org tester. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -410,6 +410,50 @@ Settings → Appearance → theme picker → try each of the 5 new themes.
|
||||
|
||||
---
|
||||
|
||||
## N. OIDC / Next-Gen Auth login (MSC3861) — P4-6
|
||||
|
||||
The Lotus client can now sign into OIDC-native homeservers (ones that delegate
|
||||
auth to a Matrix Authentication Service / MAS), e.g. mozilla.org. lotusguild's
|
||||
own server is **not** MSC3861, so test EITHER against a **local MAS dev loop**
|
||||
(full setup in `dev/oidc-test/README.md` — docker-compose + Synapse `msc3861`
|
||||
delta + a `config.json` override) OR against **mozilla.org** with a real account.
|
||||
|
||||
### N1. OIDC login flow (the core test) — needs a MAS homeserver
|
||||
|
||||
1. On the login screen, select the OIDC homeserver (local `localhost:8008`, or `mozilla.org`).
|
||||
2. **Expected:** instead of the username/password form, a single **"Continue with single sign-on"** button appears (password + legacy-SSO are suppressed for that server).
|
||||
3. Click it → redirected to the provider's login page (MAS / `chat.mozilla.org`).
|
||||
4. Authenticate there → redirected back to `…/auth/oidc/callback` → a brief "Signing you in…" spinner → you land in the app, logged in.
|
||||
|
||||
**Expected:** no console CSP violations; you reach the room list as the OIDC user.
|
||||
|
||||
### N2. Session persists across reload (token storage)
|
||||
|
||||
After N1, hard-refresh the page.
|
||||
**Expected:** you stay logged in — the OIDC session (access + refresh token + issuer/clientId/claims) was persisted (`cinny_refresh_token`, `cinny_oidc_*` keys in localStorage).
|
||||
|
||||
### N3. Token refresh (long-lived session)
|
||||
|
||||
Leave the session past the access-token lifetime (MAS default is short — or revoke the access token in the MAS admin UI to force a 401).
|
||||
**Expected:** the client refreshes transparently (no logout); the stored access token rotates (reactive 401 refresh via the wired `OidcTokenRefresher`).
|
||||
|
||||
### N4. Logout revokes at the issuer
|
||||
|
||||
Log out from Settings.
|
||||
**Expected:** back to login; OIDC tokens are revoked at the issuer's `revocation_endpoint` (best-effort) and all `cinny_*` / `cinny_oidc_*` keys are cleared. Logging back in works.
|
||||
|
||||
### N5. Account-management deep-link
|
||||
|
||||
Settings → Account.
|
||||
**Expected:** on an OIDC server a **"Manage account"** card appears (opens the provider's account page in a new tab). On a non-OIDC server (lotusguild) the card is **absent**.
|
||||
|
||||
### N6. Non-OIDC regression — password login unchanged
|
||||
|
||||
Log into **matrix.lotusguild.org** (password) and **matrix.org**.
|
||||
**Expected:** identical to before — username/password form (+ SSO button where offered). The OIDC path only activates when discovery advertises an issuer, so nothing changes for these servers.
|
||||
|
||||
---
|
||||
|
||||
## Priority if you're short on time
|
||||
|
||||
1. **A4** (in-call banner) + **A3** (ringtone) — newest, most logic, hardest to reproduce.
|
||||
|
||||
Reference in New Issue
Block a user