OIDC: refresh tokens (#11699)

* test persistCredentials without a pickle key

* test setLoggedIn with pickle key

* lint

* type error

* extract token persisting code into function, persist refresh token

* store has_refresh_token too

* pass refreshToken from oidcAuthGrant into credentials

* rest restore session with pickle key

* retreive stored refresh token and add to credentials

* extract token decryption into function

* remove TODO

* very messy poc

* comments

* prettier

* comment pedantry

* working refresh without persistence

* extract token persistence functions to utils

* add sugar

* implement TokenRefresher class with persistence

* tidying

* persist idTokenClaims

* persist idTokenClaims

* tests

* remove unused cde

* create token refresher during doSetLoggedIn

* tidying

* also tidying

* update Lifecycle test replaceUsingCreds calls

* tidy

* test tokenrefresher creation in login flow

* test token refresher

* Update src/utils/oidc/TokenRefresher.ts

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

* use literal value for m.authentication

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

* improve comments

---------

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>

src/utils/oidc/TokenRefresher.ts

@@ -0,0 +1,47 @@
+/*
+Copyright 2023 The Matrix.org Foundation C.I.C.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import { IDelegatedAuthConfig, OidcTokenRefresher, AccessTokens } from "matrix-js-sdk/src/matrix";
+import { IdTokenClaims } from "oidc-client-ts";
+
+import PlatformPeg from "../../PlatformPeg";
+import { persistAccessTokenInStorage, persistRefreshTokenInStorage } from "../tokens/tokens";
+
+/**
+ * OidcTokenRefresher that implements token persistence.
+ * Stores tokens in the same way as login flow in Lifecycle.
+ */
+export class TokenRefresher extends OidcTokenRefresher {
+    private readonly deviceId!: string;
+
+    public constructor(
+        authConfig: IDelegatedAuthConfig,
+        clientId: string,
+        redirectUri: string,
+        deviceId: string,
+        idTokenClaims: IdTokenClaims,
+        private readonly userId: string,
+    ) {
+        super(authConfig, clientId, deviceId, redirectUri, idTokenClaims);
+        this.deviceId = deviceId;
+    }
+
+    public async persistTokens({ accessToken, refreshToken }: AccessTokens): Promise<void> {
+        const pickleKey = (await PlatformPeg.get()?.getPickleKey(this.userId, this.deviceId)) ?? undefined;
+        await persistAccessTokenInStorage(accessToken, pickleKey);
+        await persistRefreshTokenInStorage(refreshToken, pickleKey);
+    }
+}

src/utils/oidc/persistOidcSettings.ts

@@ -57,3 +57,15 @@ export const getStoredOidcClientId = (): string => {
     }
     return clientId;
 };
+
+/**
+ * Retrieve stored id token claims from session storage
+ * @returns idtokenclaims or undefined
+ */
+export const getStoredOidcIdTokenClaims = (): IdTokenClaims | undefined => {
+    const idTokenClaims = sessionStorage.getItem(idTokenClaimsStorageKey);
+    if (!idTokenClaims) {
+        return;
+    }
+    return JSON.parse(idTokenClaims) as IdTokenClaims;
+};