FedCM - a quick hack

[elf-pavlik]

Followup to #29
We made it today with @mrkvon @tophcodes, and @bourgeoa
heavily copy & paste from https://github.com/Liquid-Surf/fedcm-demo/tree/main/packages/client by @thhck

I will push later code using it but in short

const client_id = 'https://zestful-keely-sootily.ngrok-free.dev/id.jsonld'
const redirect_uri = 'https://zestful-keely-sootily.ngrok-free.dev/'
const session = new Session({ client_id })
await session.login(idp, redirect_uri)

idp is not used by FedCM and is later extracted from what browser API returns, for now we still passed it to avoid making more changes

  const idp = 'https://fedcm-server.liquid.surf/'

It only works with URL Client ID in our case

{
  "@context": [
    "https://www.w3.org/ns/solid/oidc-context.jsonld"
  ],
  "client_id": "https://zestful-keely-sootily.ngrok-free.dev/id.jsonld",
  "client_name": "Solid Chess",
  "logo_uri": "https://robohash.org/aHR0cHM6Ly92dWVqZWN0cm9uLmRvY2tlcg?set=set3",
  "redirect_uris": ["https://zestful-keely-sootily.ngrok-free.dev/"],
  "grant_types": ["refresh_token", "authorization_code"]
}

It took us last 30 min to cheat our way out of trailing / errors 🤦

[elf-pavlik]

We should probably keep https://github.com/aaronpk/oauth-fedcm-profile in mind.

[elf-pavlik]

using state this way clearly makes no sense, something we need to investigate.

[elf-pavlik]

@uvdsl what do you think about refactoring your code in a way that allows creating separate package, for example solid-oidc-fedcm-rp which has this package as dependency.

As we see here the difference is using redirect vs. using FedCM api in the browser. It should be possible to isolate the redirect logic in a way that the other package uses browser api instead of the redirect 🤔

EDIT: fedcm-rp package should still allow to use the original redirect flow as a fallback!

[elf-pavlik]

9de4229 improves a bit to

const client_id = 'https://zestful-keely-sootily.ngrok-free.dev/id.jsonld'
const session = new Session({ client_id })
await session.fedCM()

[elf-pavlik]

ccd2f0c untangles FedCM further, I'll leave it here unti further feedback

I don't think this projet has any formatter, recently I started using https://oxc.rs/#feature-formatter

It should be easy to test it with https://github.com/elf-pavlik/mallory/tree/fedcm/cuckoo
One needs to change ngrok auth token, since the commited one is revoked
also hardcoded client_id needs to be updated, should be only in index.ts

On success nothing visible happen, but one can reload to see mallory message that it aborted the exploit attempt.