Handle cross-signing reset on MAS-enabled homeservers

[sandhose]

Your use case

With a MAS-enabled deployment, cross-signing reset fails with a cryptic error message from the HS at the end of the flow:

MatrixError: [501] Resetting cross signing keys is not yet supported with MSC3861 (https://synapse-oidc.lab.element.dev/_matrix/client/v3/keys/device_signing/upload)

This is because only the initial key upload is allowed (UIA restriction removed in MSC3967) and no UIA mechanism is available with OIDC yet.
To work around this, MSC2965 defines a deep link to the OP web interface to temporarily allow cross signing reset. Note that this is for now defined in the generic MSC which defines deep links to some OP pages and may move in its own MSC later.

In OIDC-native and OIDC-aware mode, Element Web should:

• discover the account management URL and available actions through the OIDC provider discovery document (example: https://auth-oidc.lab.element.dev/.well-known/openid-configuration )
• at the end of the cross signing reset flow, if it fails when uploading the key:
  • if the org.matrix.cross_signing_reset action is not available, abort
  • open {{ account_management_uri }}?action=org.matrix.cross_signing_reset (in a popup?)
  • try to upload the key until it works

Have you considered any alternatives?

No response

Additional context

No response

[t3chguy]

Blocked on approach. There's ~7 codepaths which can hit this flow all built around UIA and this approach isn't feasible.
Proposals and PoCs at https://matrix.to/#/!DMIzOuSRGqxgoEIPDJ:element.io/$uhCxppGgjLQZLqcNx7I36U9xR5wPwBSVCyntQ0qYBI0?via=matrix.org&via=element.io&via=riot.ovh

[t3chguy]

Ultimately we are delegating this to the server via UIA. Later when OIDC/MAS support privilege escalation we will switch to that mechanism