feat(auth): get rid of the cargo feature flag for OIDC

OIDC authentication has been used in production in multiple embeddings
of the Matrix Rust SDK, some of them for months already, and they're
considered stable for everyday use. As such, the feature is not
considered experimental anymore, especially since the future of
authentication will rely on OIDC and related mechanisms.

Author: bnjbvr

.github/workflows/ci.yml

@@ -35,7 +35,6 @@ jobs:
       fail-fast: true
       matrix:
         name:
-          - experimental-oidc
           - no-encryption
           - no-sqlite
           - no-encryption-and-sqlite

bindings/matrix-sdk-ffi/Cargo.toml

@@ -55,7 +55,6 @@ workspace = true
 features = [
     "anyhow",
     "e2e-encryption",
-    "experimental-oidc",
     "experimental-widgets",
     "markdown",
     "rustls-tls", # note: differ from block below
@@ -69,7 +68,6 @@ workspace = true
 features = [
     "anyhow",
     "e2e-encryption",
-    "experimental-oidc",
     "experimental-widgets",
     "markdown",
     "native-tls", # note: differ from block above

crates/matrix-sdk/Cargo.toml

@@ -40,22 +40,11 @@ markdown = ["ruma/markdown"]
 native-tls = ["reqwest/native-tls"]
 rustls-tls = ["reqwest/rustls-tls"]
 socks = ["reqwest/socks"]
-sso-login = ["dep:axum", "dep:rand", "dep:tower"]
+sso-login = ["dep:axum"]
 
 uniffi = ["dep:uniffi", "matrix-sdk-base/uniffi", "dep:matrix-sdk-ffi-macros"]
 
-experimental-oidc = [
-    "ruma/unstable-msc2967",
-    "ruma/unstable-msc4108",
-    "dep:chrono",
-    "dep:language-tags",
-    "dep:mas-oidc-client",
-    "dep:rand",
-    "dep:sha2",
-    "dep:tower",
-    "dep:openidconnect",
-]
-experimental-widgets = ["dep:language-tags", "dep:uuid"]
+experimental-widgets = ["dep:uuid"]
 
 docsrs = ["e2e-encryption", "sqlite", "indexeddb", "sso-login", "qrcode"]
 
@@ -71,7 +60,7 @@ async-trait = { workspace = true }
 axum = { version = "0.8.1", optional = true }
 bytes = "1.9.0"
 bytesize = "1.3.0"
-chrono = { workspace = true, optional = true }
+chrono = { workspace = true }
 event-listener = "5.4.0"
 eyeball = { workspace = true }
 eyeball-im = { workspace = true }
@@ -83,8 +72,8 @@ http = { workspace = true }
 imbl = { workspace = true, features = ["serde"] }
 indexmap = { workspace = true }
 js_int = "0.2.2"
-language-tags = { version = "0.3.2", optional = true }
-mas-oidc-client = { version = "0.11.0", default-features = false, optional = true }
+language-tags = { version = "0.3.2" }
+mas-oidc-client = { version = "0.11.0", default-features = false }
 matrix-sdk-base = { workspace = true }
 matrix-sdk-common = { workspace = true }
 matrix-sdk-ffi-macros = { workspace = true, optional = true }
@@ -96,24 +85,26 @@ mime2ext = "0.1.53"
 once_cell = { workspace = true }
 percent-encoding = "2.3.1"
 pin-project-lite = { workspace = true }
-rand = { workspace = true , optional = true }
+rand = { workspace = true }
 ruma = { workspace = true, features = [
     "rand",
     "unstable-msc2448",
     "unstable-msc2965",
+    "unstable-msc2967",
     "unstable-msc3930",
     "unstable-msc3245-v1-compat",
     "unstable-msc2867",
+    "unstable-msc4108",
     "unstable-msc4230",
 ] }
 serde = { workspace = true }
 serde_html_form = { workspace = true }
 serde_json = { workspace = true }
-sha2 = { workspace = true, optional = true }
+sha2 = { workspace = true }
 tempfile = { workspace = true }
 thiserror = { workspace = true }
 tokio-stream = { workspace = true, features = ["sync"] }
-tower = { version = "0.5.2", features = ["util"], optional = true }
+tower = { version = "0.5.2", features = ["util"] }
 tracing = { workspace = true, features = ["attributes"] }
 uniffi = { workspace = true, optional = true }
 url = { workspace = true, features = ["serde"] }
@@ -129,7 +120,7 @@ tokio = { workspace = true, features = ["macros"] }
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 backoff = { version = "0.4.0", features = ["tokio"] }
-openidconnect = { version = "4.0.0", optional = true }
+openidconnect = { version = "4.0.0" }
 # only activate reqwest's stream feature on non-wasm, the wasm part seems to not
 # support *sending* streams, which makes it useless for us.
 reqwest = { workspace = true, features = ["stream", "gzip", "http2"] }

crates/matrix-sdk/src/authentication/mod.rs

@@ -21,23 +21,22 @@ use matrix_sdk_base::SessionMeta;
 use tokio::sync::{broadcast, Mutex, OnceCell};
 
 pub mod matrix;
-#[cfg(feature = "experimental-oidc")]
 pub mod oidc;
 
-use self::matrix::{MatrixAuth, MatrixAuthData};
-#[cfg(feature = "experimental-oidc")]
-use self::oidc::{Oidc, OidcAuthData, OidcCtx};
+use self::{
+    matrix::{MatrixAuth, MatrixAuthData},
+    oidc::{Oidc, OidcAuthData, OidcCtx},
+};
 use crate::{Client, RefreshTokenError, SessionChange};
 
-#[cfg(all(feature = "experimental-oidc", feature = "e2e-encryption", not(target_arch = "wasm32")))]
+#[cfg(all(feature = "e2e-encryption", not(target_arch = "wasm32")))]
 pub mod qrcode;
 
 /// Session tokens, for any kind of authentication.
 #[allow(missing_debug_implementations, clippy::large_enum_variant)]
 pub enum SessionTokens {
     /// Tokens for a [`matrix`] session.
     Matrix(matrix::MatrixSessionTokens),
-    #[cfg(feature = "experimental-oidc")]
     /// Tokens for an [`oidc`] session.
     Oidc(oidc::OidcSessionTokens),
 }
@@ -51,7 +50,6 @@ pub(crate) type ReloadSessionCallback =
 /// All the data relative to authentication, and that must be shared between a
 /// client and all its children.
 pub(crate) struct AuthCtx {
-    #[cfg(feature = "experimental-oidc")]
     pub(crate) oidc: OidcCtx,
 
     /// Whether to try to refresh the access token automatically when an
@@ -93,7 +91,6 @@ pub enum AuthApi {
     Matrix(MatrixAuth),
 
     /// The OpenID Connect API.
-    #[cfg(feature = "experimental-oidc")]
     Oidc(Oidc),
 }
 
@@ -105,7 +102,6 @@ pub enum AuthSession {
     Matrix(matrix::MatrixSession),
 
     /// A session using the OpenID Connect API.
-    #[cfg(feature = "experimental-oidc")]
     Oidc(Box<oidc::OidcSession>),
 }
 
@@ -114,7 +110,6 @@ impl AuthSession {
     pub fn meta(&self) -> &SessionMeta {
         match self {
             AuthSession::Matrix(session) => &session.meta,
-            #[cfg(feature = "experimental-oidc")]
             AuthSession::Oidc(session) => &session.user.meta,
         }
     }
@@ -123,7 +118,6 @@ impl AuthSession {
     pub fn into_meta(self) -> SessionMeta {
         match self {
             AuthSession::Matrix(session) => session.meta,
-            #[cfg(feature = "experimental-oidc")]
             AuthSession::Oidc(session) => session.user.meta,
         }
     }
@@ -132,7 +126,6 @@ impl AuthSession {
     pub fn access_token(&self) -> &str {
         match self {
             AuthSession::Matrix(session) => &session.tokens.access_token,
-            #[cfg(feature = "experimental-oidc")]
             AuthSession::Oidc(session) => &session.user.tokens.access_token,
         }
     }
@@ -141,7 +134,6 @@ impl AuthSession {
     pub fn get_refresh_token(&self) -> Option<&str> {
         match self {
             AuthSession::Matrix(session) => session.tokens.refresh_token.as_deref(),
-            #[cfg(feature = "experimental-oidc")]
             AuthSession::Oidc(session) => session.user.tokens.refresh_token.as_deref(),
         }
     }
@@ -153,7 +145,6 @@ impl From<matrix::MatrixSession> for AuthSession {
     }
 }
 
-#[cfg(feature = "experimental-oidc")]
 impl From<oidc::OidcSession> for AuthSession {
     fn from(session: oidc::OidcSession) -> Self {
         Self::Oidc(session.into())
@@ -166,7 +157,6 @@ pub(crate) enum AuthData {
     /// Data for the native Matrix authentication API.
     Matrix(MatrixAuthData),
     /// Data for the OpenID Connect API.
-    #[cfg(feature = "experimental-oidc")]
     Oidc(OidcAuthData),
 }
 
@@ -178,7 +168,6 @@ impl AuthData {
     pub(crate) fn access_token(&self) -> Option<String> {
         let token = match self {
             Self::Matrix(d) => d.tokens.get().access_token,
-            #[cfg(feature = "experimental-oidc")]
             Self::Oidc(d) => d.tokens.get()?.get().access_token,
         };
 

crates/matrix-sdk/src/authentication/oidc/mod.rs

@@ -27,11 +27,9 @@
 //! limited to the Authorization Code flow. It also uses some OAuth 2.0
 //! extensions.
 //!
-//! # Setup
-//!
-//! To enable support for OpenID Connect on the [`Client`], simply enable the
-//! `experimental-oidc` cargo feature for the `matrix-sdk` crate. Then this
-//! authentication API is available with [`Client::oidc()`].
+//! Support for OpenID Connect on the [`Client`] is always enabled by default
+//! for the `matrix-sdk` crate. Its main API object can be obtained through the
+//! authentication API available with [`Client::oidc()`].
 //!
 //! # Homeserver support
 //!

crates/matrix-sdk/src/client/builder/mod.rs

@@ -28,18 +28,21 @@ use tokio::sync::{broadcast, Mutex, OnceCell};
 use tracing::{debug, field::debug, instrument, Span};
 
 use super::{Client, ClientInner};
-#[cfg(feature = "experimental-oidc")]
-use crate::authentication::oidc::OidcCtx;
 #[cfg(feature = "e2e-encryption")]
 use crate::crypto::{CollectStrategy, TrustRequirement};
 #[cfg(feature = "e2e-encryption")]
 use crate::encryption::EncryptionSettings;
 #[cfg(not(target_arch = "wasm32"))]
 use crate::http_client::HttpSettings;
 use crate::{
-    authentication::AuthCtx, client::ClientServerCapabilities, config::RequestConfig,
-    error::RumaApiError, http_client::HttpClient, send_queue::SendQueueData,
-    sliding_sync::VersionBuilder as SlidingSyncVersionBuilder, HttpError, IdParseError,
+    authentication::{oidc::OidcCtx, AuthCtx},
+    client::ClientServerCapabilities,
+    config::RequestConfig,
+    error::RumaApiError,
+    http_client::HttpClient,
+    send_queue::SendQueueData,
+    sliding_sync::VersionBuilder as SlidingSyncVersionBuilder,
+    HttpError, IdParseError,
 };
 
 /// Builder that allows creating and configuring various parts of a [`Client`].
@@ -510,7 +513,6 @@ impl ClientBuilder {
             version
         };
 
-        #[cfg(feature = "experimental-oidc")]
         let allow_insecure_oidc = homeserver.scheme() == "http";
 
         let auth_ctx = Arc::new(AuthCtx {
@@ -520,7 +522,6 @@ impl ClientBuilder {
             auth_data: OnceCell::default(),
             reload_session_callback: OnceCell::default(),
             save_session_callback: OnceCell::default(),
-            #[cfg(feature = "experimental-oidc")]
             oidc: OidcCtx::new(allow_insecure_oidc),
         });
 

crates/matrix-sdk/src/client/futures.rs

@@ -19,7 +19,6 @@ use std::{fmt::Debug, future::IntoFuture};
 use eyeball::SharedObservable;
 #[cfg(not(target_arch = "wasm32"))]
 use eyeball::Subscriber;
-#[cfg(feature = "experimental-oidc")]
 use mas_oidc_client::{
     error::{
         Error as OidcClientError, ErrorBody as OidcErrorBody, HttpError as OidcHttpError,
@@ -29,14 +28,11 @@ use mas_oidc_client::{
 };
 use matrix_sdk_common::boxed_into_future;
 use ruma::api::{client::error::ErrorKind, error::FromHttpResponseError, OutgoingRequest};
-#[cfg(feature = "experimental-oidc")]
-use tracing::error;
-use tracing::trace;
+use tracing::{error, trace};
 
 use super::super::Client;
-#[cfg(feature = "experimental-oidc")]
-use crate::authentication::oidc::OidcError;
 use crate::{
+    authentication::oidc::OidcError,
     config::RequestConfig,
     error::{HttpError, HttpResult},
     RefreshTokenError, TransmissionProgress,
@@ -134,7 +130,6 @@ where
                             client.broadcast_unknown_token(soft_logout);
                         }
 
-                        #[cfg(feature = "experimental-oidc")]
                         RefreshTokenError::Oidc(oidc_error) => {
                             match **oidc_error {
                                 OidcError::Oidc(OidcClientError::TokenRefresh(

crates/matrix-sdk/src/client/mod.rs

@@ -73,11 +73,10 @@ use tracing::{debug, error, instrument, trace, warn, Instrument, Span};
 use url::Url;
 
 use self::futures::SendRequest;
-#[cfg(feature = "experimental-oidc")]
-use crate::authentication::oidc::Oidc;
 use crate::{
     authentication::{
-        matrix::MatrixAuth, AuthCtx, AuthData, ReloadSessionCallback, SaveSessionCallback,
+        matrix::MatrixAuth, oidc::Oidc, AuthCtx, AuthData, ReloadSessionCallback,
+        SaveSessionCallback,
     },
     config::RequestConfig,
     deduplicating_handler::DeduplicatingHandler,
@@ -583,7 +582,6 @@ impl Client {
     pub fn auth_api(&self) -> Option<AuthApi> {
         match self.inner.auth_ctx.auth_data.get()? {
             AuthData::Matrix(_) => Some(AuthApi::Matrix(self.matrix_auth())),
-            #[cfg(feature = "experimental-oidc")]
             AuthData::Oidc(_) => Some(AuthApi::Oidc(self.oidc())),
         }
     }
@@ -597,7 +595,6 @@ impl Client {
     pub fn session(&self) -> Option<AuthSession> {
         match self.auth_api()? {
             AuthApi::Matrix(api) => api.session().map(Into::into),
-            #[cfg(feature = "experimental-oidc")]
             AuthApi::Oidc(api) => api.full_session().map(Into::into),
         }
     }
@@ -639,7 +636,6 @@ impl Client {
     }
 
     /// Access the OpenID Connect API of the client.
-    #[cfg(feature = "experimental-oidc")]
     pub fn oidc(&self) -> Oidc {
         Oidc::new(self.clone())
     }
@@ -1250,7 +1246,6 @@ impl Client {
         let session = session.into();
         match session {
             AuthSession::Matrix(s) => Box::pin(self.matrix_auth().restore_session(s)).await,
-            #[cfg(feature = "experimental-oidc")]
             AuthSession::Oidc(s) => Box::pin(self.oidc().restore_session(*s)).await,
         }
     }
@@ -1286,7 +1281,6 @@ impl Client {
                 trace!("Token refresh: Using the homeserver.");
                 Box::pin(api.refresh_access_token()).await?;
             }
-            #[cfg(feature = "experimental-oidc")]
             AuthApi::Oidc(api) => {
                 trace!("Token refresh: Using OIDC.");
                 Box::pin(api.refresh_access_token()).await?;