It's unclear what OpenID standard is actually meant by 'OpenID', if any at all

[reivilibre]

Link to problem area:

• https://spec.matrix.org/v1.9/client-server-api/#openid
• https://spec.matrix.org/v1.9/server-server-api/#openid

Issue
The OpenID section does not say which OpenID standard is in use. Is it v1, v2, OpenID Connect?

I am unfamiliar with v1/v2 of the original OpenID specs but from what I can tell they seem fairly unrelated. From #684 I think it is meant to be OpenID Connect.

However from personal experience with OIDC I would say that the spec we implement does not go far enough to make us actually compliant with OpenID Connect at all. For example, most of the things on the 'Mandatory to Implement' list are missing.

There are also some important details in the OIDC spec that we are missing; feel free to ask internally for my notes on this.

Overall it seems we should just rename it to something else, unrelated to OpenID altogether and explain that the /openid path is a historical misnomer.

Eventually the real 'OIDC native' work will hopefully give us something to use here instead?

[ninchuka]

There are also some important details in the OIDC spec that we are missing; feel free to ask internally for my notes on this.

why are your notes not public?

[reivilibre]

There are also some important details in the OIDC spec that we are missing; feel free to ask internally for my notes on this.

why are your notes not public?

My notes live (in cryptic/personal shorthand form) on my hard drive and because I discovered this when working on something else and have generally been overwhelmed, I did not get time to draw up a full list of what's wrong with this endpoint (and this was also before I had talked to other people who should definitely know what OpenID Connect is and can agree or disagree with me) or even finish looking into it — it isn't really my first priority to edit/criticise the spec although personally I wanted to at least leave a note here saying 'this is wrong!!!' for the next person who needs to use this endpoint and is confused at why it seems unlike OpenID / OpenID Connect (I have a bit of prior personal experience with OIDC).

Anyway, for now I think I can pull out a bit; there are potentially more fragments but honestly the evidence here should be enough to convince someone that this is not OpenID Connect at all and it would be best to e.g. rename it to something else, explaining that it was intended to have a very narrow window of compatibility to OIDC but is otherwise unrelated:

• the endpoints bear only a tiny resemblance to OpenID Connect, that it seems a stretch to call it OpenID (Connect) — only a super tiny subset is implemented
• OpenID Connect Providers (OPs) should accept the access token on the User Info endpoint as an Authorization: Bearer ... header but the spec here does not require that, even though it would be required to do so to implement OpenID Connect properly
• OPs are meant to provide an endpoint in a standard form to authenticate and obtain access tokens. I am not convinced the CS API does, frankly this is part I haven't had chance to look into yet but https://spec.matrix.org/v1.9/client-server-api/#openid has a specific comment saying it is 'almost compatible' with the spec, which to me sounds like a full incompatibility...

I don't know what the history of this endpoint is (maybe it comes from a time where OpenID Connect was still in draft etc etc) and although I was curious, I am not sure I will have time to dig that up, nor does it really matter I suppose.

[MTRNord]

Thanks for sharing the notes :) It was just a little weird to have that note.