Add OAuth2 support

[maxklenk]

It is now possible to register and login in using the OAuth2 Authorization Code Flow.

Things to discuss:

• add support for custom mapping providers similar to the ones used in the SAML integration
• use of an oAuth library

Pull Request Checklist

• Pull request is based on the develop branch
• Pull request includes a changelog file. The entry should:
  • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
  • Use markdown where necessary, mostly for code blocks.
  • End with either a period (.) or an exclamation mark (!).
  • Start with a capital letter.
• Pull request includes a sign off
• Code style is correct (run the linters)

Signed-off-by: Max Klenk max@klenk.biz

[richvdh]

this looks really great - thank you! A few stylistic bits and pieces below.

I'm not really familiar with OAuth2, so I'm largely taking it on trust that this does what it is supposed to do. Are there any well-known services (google? github?) that this will work with?

A document in the docs folder giving a few notes on how to configure OAuth2 integration might be helpful?

[richvdh]

we don't need to support python 2 any more; please use urllib directly rather than using six.

[richvdh]

can we not store this in a field in the constructor, rather than having to call a method?

[richvdh]

for internal methods like this, please could you prefix them with _ to show that they are internal.

(alternatively, if they form part of the public API of the class, they need docstrings.)

[richvdh]

(tbh it could do with a docstring anyway: in this case it should clarify that this method is fetching the OAuth2 access token rather than a matrix access token.)

[richvdh]

why are these object-level fields rather than file-level constants?

[sandhose]

The response_type and response_mode should be hardcoded as the code flow is the only one implemented yet. The scope on the other hand should be configurable.

[richvdh]

please can you document the structure of this. what does it map from and to?

[richvdh]

/me checks calendar.

Also please don't assign copyright for new code to OpenMarket unless you work for them? You can either put your own name here or omit the copyright line altogether.

[richvdh]

likewise, it's not really sensible to put Matrix.org here unless you work for them.

[richvdh]

we probably need to add a check somewhere that will make synapse refuse to start if you try to enable more than one of CAS/OAuth/SAML2.

[richvdh]

please don't follow the poor example of the CAS config block: there are conventions defined for the config file at https://github.com/matrix-org/synapse/blob/master/docs/code_style.md#configuration-file-format.

[richvdh]

once again, the CAS code sets a poor example here. This doesn't form part of the matrix client-server API, so it should be on a different path. Have a look at the way the SAML2ResponseResource works.

[richvdh]

I pressed the wrong button ^

[maxklenk]

Thank you for the review. I will improve my code and come back to you once I finished the fixes or have additional questions.

[sandhose]

Hey @maxklenk. I started working on kinda the same thing this week (implementing OpenID Connect, which is ~basically OAuth2) and did not saw this PR before working on it. Do you mind if continue my work and submit a PR by the end of the week? It should also cover your use case, but be a lot more flexible

[sandhose]

The main things I don't really know what the right approach is, is how to carry state throughout the login flow.
If we want the implementation to be secure, when we redirect the user to the provider, we need to generate a random state and a random nonce field, save them client-side, and verify them when the users comes back. Usually this is done with cookies.

@richvdh I'd like your input on this. Would it be OK to store a cookie through the flow to save some infos about it? Maybe a macaroon token with those infos in them might be a good candidate for that

---

Also, there are multiple approach to get the user infos:

• via the id_token, exchanged through the token endpoint
• via the id_token with the implicit flow
• via the user_info endpoint

Ideally, all of those should be supported.

---

The scopes should be configurable, as well as the claims (~user attributes) are mapped.

---

The OpenID Connect spec also specifies a way to logout from Relying Parties (in this case Synapse), initiated by the provider. This implies that we store the token we get from the provider so we can revoke the matrix access token when the user logs out from the OIDC Provider

[sandhose]

This should also handle oauth2 errors

[sandhose]

the nonce and the state fields should be two different things and should be checked somehow when the clients return (usually with a cookie). Also, I'm not sure if storing that in memory is a good idea, as it means this servlet can't be scaled, and restarting it will make all the running auth flows fail.

[sandhose]

That should not be hard-coded. Also, only the sub field is guaranteed to be here.

[richvdh]

If we want the implementation to be secure, when we redirect the user to the provider, we need to generate a random state and a random nonce field, save them client-side, and verify them when the users comes back. Usually this is done with cookies.

Interesting. We've not needed this for CAS or SAML (for SAML there is an in_response_to field which allows us to track sessions in the server; for CAS we stick an extra parameter on the service param which tells the CAS server where to redirect back to). I wonder if either of those techniques could be used here?

In principle though, there is no problem with storing a cookie for the duration of the login process.

[sandhose]

Interesting. We've not needed this for CAS or SAML (for SAML there is an in_response_to field which allows us to track sessions in the server; for CAS we stick an extra parameter on the service param which tells the CAS server where to redirect back to). I wonder if either of those techniques could be used here?

The state field is given in the initial authorization redirect by the Relying Party (synapse) and then restituted by the OpenID Provider on the callback URI. This was designed to indeed carry state throughout the flow, but also prevent CSRF attacks.

See https://auth0.com/docs/protocols/oauth2/oauth-state

In principle though, there is no problem with storing a cookie for the duration of the login process.

It is also recommended to have the cookie saving the state signed to prevent it from being forged. What would you think of using a macaroon token, with the state, the nonce and the client_redirect_url in it stored as a cookie? That way we don't have to store any state server-side

[clokep]

@maxklenk Thanks for your contribution, it seems that this PR has been superseded by #7256, which implements a more general approach for OpenID Connect, not just OAuth2. Will that PR fulfill all your requirements? If so, I think we can close this.

[maxklenk]

Yes, I stopped working on the PR and instead waited for #7256. I have tested @sandhose PR with additional OAuth providers and are confident that it contains everything I was aiming at with my PR. This PR can be closed.

[clokep]

Thanks for doing some additional testing! 👍