esl
[auth] support for oidc
Oidc is an auth method broadly used from large compagny to self hosted people.
Oidc adds value by delegating the auth to an external provider enabling single sign on, but also feature out of scope of IM such as double factor auth, brute force mitigation and much more.
While oidc is a key feature in other IM tools such as matrix on the XMPP side oidc is almost un-mentionned. There is AFAIK not any XMPP client to support OIDC right now. However there is some XMPP backend implementation such as prosody and also some manifests.
Sounds like oidc for mongooseIM makes lot of sense too, and hopefully this would motivate xmpp clients to implement it.
Interesting, could be used to "sign in with google" 2 or other openid providers.
Main complexity is that that kind of auth is usually done from the web page / web view. At least in solutions like Slack. Our users/clients often already have a web team and implement the feature there (and after just use an existing token auth, or some simple proprietary callback auth to their server - external script or external HTTP auth, which we already support - the company just need to implement HTTP web endpoint).
It would be nice to have:
- a client, implementing this.
- XEP, there are common questions appearing, and to be useful, they should be answered in the XEP. There is XEP-0493 OAuth Client Login, experimental. But it is primarily says to use rfc6749: The OAuth 2.0 Authorization Framework
So, far we can split the task:
- MIM is used as an auth consumer - useful, but it is very client-implementation-aware (i.e. we need webview in the app or webpage).
- MIM is used as an auth provider - probably could be useful only for the REST API auth. Also, using fast_auth tokens could be an alternative for the REST API.
