ok

src/api/client_server/sso.rs

@@ -122,7 +122,7 @@ pub async fn get_sso_redirect_with_provider_route(
         AuthorizationRequestData::new(
             provider.config.client_id.clone(),
             provider.config.scopes.clone(),
-            redirect_url,
+            callback,
         ),
         &mut StdRng::from_entropy(),
     )
@@ -130,6 +130,7 @@ pub async fn get_sso_redirect_with_provider_route(
 
     let signed = services().globals.sign_claims(&ValidationData::new(
         Borrow::<str>::borrow(provider).to_owned(),
+        redirect_url.to_string(),
         validation_data,
     ));
 
@@ -139,7 +140,7 @@ pub async fn get_sso_redirect_with_provider_route(
             utils::build_cookie(
                 SSO_SESSION_COOKIE,
                 &signed,
-                "/_conduit/client/sso/callback",
+                CALLBACK_PATH,
                 Some(SSO_AUTH_EXPIRATION_SECS),
             )
             .to_string(),
@@ -181,6 +182,7 @@ async fn handle_callback_helper(req: axum::extract::Request) -> Result<axum::res
 
     let ValidationData {
         provider,
+        redirect_url,
         inner: validation_data,
     } = services()
         .globals
@@ -244,7 +246,7 @@ async fn handle_callback_helper(req: axum::extract::Request) -> Result<axum::res
         credentials,
         provider.metadata.token_endpoint(),
         code.unwrap_or_default(),
-        validation_data.clone(),
+        validation_data,
         jwt_verification_data,
         SystemTime::now().into(),
         &mut StdRng::from_entropy(),
@@ -369,8 +371,8 @@ async fn handle_callback_helper(req: axum::extract::Request) -> Result<axum::res
         user_id,
     ));
 
-    let mut redirect_uri = validation_data.redirect_uri;
-    redirect_uri
+    let mut redirect_url: Url = redirect_url.parse().expect("");
+    redirect_url
         .query_pairs_mut()
         .append_pair("loginToken", &signed);
 
@@ -379,7 +381,7 @@ async fn handle_callback_helper(req: axum::extract::Request) -> Result<axum::res
             header::SET_COOKIE,
             utils::build_cookie(SSO_SESSION_COOKIE, "", CALLBACK_PATH, None).to_string(),
         )]),
-        Redirect::temporary(redirect_uri.as_str()),
+        Redirect::temporary(redirect_url.as_str()),
     )
         .into_response())
 }

src/database/key_value/sso.rs

@@ -8,7 +8,7 @@ impl service::sso::Data for KeyValueDatabase {
         key.push(0xff);
         key.extend_from_slice(subject.as_bytes());
 
-        self.subject_userid.insert(&key, user_id.as_bytes())
+        self.providersubjectid_userid.insert(&key, user_id.as_bytes())
     }
 
     fn user_from_subject(&self, provider: &str, subject: &str) -> Result<Option<OwnedUserId>> {
@@ -16,7 +16,7 @@ impl service::sso::Data for KeyValueDatabase {
         key.push(0xff);
         key.extend_from_slice(subject.as_bytes());
 
-        self.subject_userid.get(&key)?.map_or(Ok(None), |bytes| {
+        self.providersubjectid_userid.get(&key)?.map_or(Ok(None), |bytes| {
             Some(
                 UserId::parse(utils::string_from_bytes(&bytes).map_err(|_| {
                     Error::bad_database("User ID in claim_userid is invalid unicode.")

src/database/mod.rs

@@ -49,8 +49,6 @@ pub struct KeyValueDatabase {
     pub(super) userdeviceid_metadata: Arc<dyn KvTree>, // This is also used to check if a device exists
     pub(super) userid_devicelistversion: Arc<dyn KvTree>, // DevicelistVersion = u64
     pub(super) token_userdeviceid: Arc<dyn KvTree>,
-    pub(super) subject_userid: Arc<dyn KvTree>,
-
     pub(super) onetimekeyid_onetimekeys: Arc<dyn KvTree>, // OneTimeKeyId = UserId + DeviceKeyId
     pub(super) userid_lastonetimekeyupdate: Arc<dyn KvTree>, // LastOneTimeKeyUpdate = Count
     pub(super) keychangeid_userid: Arc<dyn KvTree>,       // KeyChangeId = UserId/RoomId + Count
@@ -290,8 +288,6 @@ impl KeyValueDatabase {
             userdeviceid_metadata: builder.open_tree("userdeviceid_metadata")?,
             userid_devicelistversion: builder.open_tree("userid_devicelistversion")?,
             token_userdeviceid: builder.open_tree("token_userdeviceid")?,
-            subject_userid: builder.open_tree("subject_userid")?,
-
             onetimekeyid_onetimekeys: builder.open_tree("onetimekeyid_onetimekeys")?,
             userid_lastonetimekeyupdate: builder.open_tree("userid_lastonetimekeyupdate")?,
             keychangeid_userid: builder.open_tree("keychangeid_userid")?,

src/main.rs

@@ -283,7 +283,10 @@ fn routes(config: &Config) -> Router {
         .ruma_route(client_server::get_sso_redirect_with_provider_route)
         // The specification will likely never introduce any endpoint for handling authorization callbacks.
         // As a workaround, we use custom path that redirects the user to the default login handler.
-        .route(CALLBACK_PATH, get(client_server::handle_callback_route))
+        .route(
+            &format!("/{CALLBACK_PATH}"),
+            get(client_server::handle_callback_route),
+        )
         .ruma_route(client_server::get_capabilities_route)
         .ruma_route(client_server::get_pushrules_all_route)
         .ruma_route(client_server::set_pushrule_route)

src/service/sso/mod.rs

@@ -152,13 +152,14 @@ impl LoginToken {
 #[derive(Clone, Debug, Deserialize, Serialize)]
 pub struct ValidationData {
     pub provider: String,
+    pub redirect_url: String,
     #[serde(flatten, with = "AuthorizationValidationDataDef")]
     pub inner: AuthorizationValidationData,
 }
 
 impl ValidationData {
-    pub fn new(provider: String, inner: AuthorizationValidationData) -> Self {
-        Self { provider, inner }
+    pub fn new(provider: String, redirect_url: String, inner: AuthorizationValidationData) -> Self {
+        Self { provider, redirect_url, inner }
     }
 }