From 33f64ca7d66c099c2f774ee2b5dd75eac008e345 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Tue, 16 Feb 2021 22:33:09 +0000 Subject: [PATCH] Allow OIDC config to override discovered values (#9384) Fixes #9347 --- changelog.d/9384.misc | 1 + synapse/handlers/oidc_handler.py | 27 ++++++++++++++++++--------- 2 files changed, 19 insertions(+), 9 deletions(-) create mode 100644 changelog.d/9384.misc diff --git a/changelog.d/9384.misc b/changelog.d/9384.misc new file mode 100644 index 0000000000..9db61f44db --- /dev/null +++ b/changelog.d/9384.misc @@ -0,0 +1 @@ +Allow OIDC config to override discovered values. diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py index 702bfb8bc9..c00b9c57c6 100644 --- a/synapse/handlers/oidc_handler.py +++ b/synapse/handlers/oidc_handler.py @@ -383,22 +383,31 @@ class OidcProvider: return await self._provider_metadata.get() async def _load_metadata(self) -> OpenIDProviderMetadata: - # init the metadata from our config - metadata = OpenIDProviderMetadata( - issuer=self._config.issuer, - authorization_endpoint=self._config.authorization_endpoint, - token_endpoint=self._config.token_endpoint, - userinfo_endpoint=self._config.userinfo_endpoint, - jwks_uri=self._config.jwks_uri, - ) + # start out with just the issuer (unlike the other settings, discovered issuer + # takes precedence over configured issuer, because configured issuer is + # required for discovery to take place.) + # + metadata = OpenIDProviderMetadata(issuer=self._config.issuer) # load any data from the discovery endpoint, if enabled if self._config.discover: url = get_well_known_url(self._config.issuer, external=True) metadata_response = await self._http_client.get_json(url) - # TODO: maybe update the other way around to let user override some values? metadata.update(metadata_response) + # override any discovered data with any settings in our config + if self._config.authorization_endpoint: + metadata["authorization_endpoint"] = self._config.authorization_endpoint + + if self._config.token_endpoint: + metadata["token_endpoint"] = self._config.token_endpoint + + if self._config.userinfo_endpoint: + metadata["userinfo_endpoint"] = self._config.userinfo_endpoint + + if self._config.jwks_uri: + metadata["jwks_uri"] = self._config.jwks_uri + self._validate_metadata(metadata) return metadata