Allow OIDC cookies to work on non-root public baseurls (#9726)
Applied a (slightly modified) patch from https://github.com/matrix-org/synapse/issues/9574. As far as I understand this would allow the cookie set during the OIDC flow to work on deployments using public baseurls that do not sit at the URL path root.pull/9887/head
parent
59d24c5bef
commit
695b73c861
|
@ -0,0 +1 @@
|
||||||
|
Fixes the OIDC SSO flow when using a `public_baseurl` value including a non-root URL path.
|
|
@ -235,7 +235,11 @@ class ServerConfig(Config):
|
||||||
self.print_pidfile = config.get("print_pidfile")
|
self.print_pidfile = config.get("print_pidfile")
|
||||||
self.user_agent_suffix = config.get("user_agent_suffix")
|
self.user_agent_suffix = config.get("user_agent_suffix")
|
||||||
self.use_frozen_dicts = config.get("use_frozen_dicts", False)
|
self.use_frozen_dicts = config.get("use_frozen_dicts", False)
|
||||||
|
|
||||||
self.public_baseurl = config.get("public_baseurl")
|
self.public_baseurl = config.get("public_baseurl")
|
||||||
|
if self.public_baseurl is not None:
|
||||||
|
if self.public_baseurl[-1] != "/":
|
||||||
|
self.public_baseurl += "/"
|
||||||
|
|
||||||
# Whether to enable user presence.
|
# Whether to enable user presence.
|
||||||
presence_config = config.get("presence") or {}
|
presence_config = config.get("presence") or {}
|
||||||
|
@ -407,10 +411,6 @@ class ServerConfig(Config):
|
||||||
config_path=("federation_ip_range_blacklist",),
|
config_path=("federation_ip_range_blacklist",),
|
||||||
)
|
)
|
||||||
|
|
||||||
if self.public_baseurl is not None:
|
|
||||||
if self.public_baseurl[-1] != "/":
|
|
||||||
self.public_baseurl += "/"
|
|
||||||
|
|
||||||
# (undocumented) option for torturing the worker-mode replication a bit,
|
# (undocumented) option for torturing the worker-mode replication a bit,
|
||||||
# for testing. The value defines the number of milliseconds to pause before
|
# for testing. The value defines the number of milliseconds to pause before
|
||||||
# sending out any replication updates.
|
# sending out any replication updates.
|
||||||
|
|
|
@ -15,7 +15,7 @@
|
||||||
import inspect
|
import inspect
|
||||||
import logging
|
import logging
|
||||||
from typing import TYPE_CHECKING, Dict, Generic, List, Optional, TypeVar, Union
|
from typing import TYPE_CHECKING, Dict, Generic, List, Optional, TypeVar, Union
|
||||||
from urllib.parse import urlencode
|
from urllib.parse import urlencode, urlparse
|
||||||
|
|
||||||
import attr
|
import attr
|
||||||
import pymacaroons
|
import pymacaroons
|
||||||
|
@ -68,8 +68,8 @@ logger = logging.getLogger(__name__)
|
||||||
#
|
#
|
||||||
# Here we have the names of the cookies, and the options we use to set them.
|
# Here we have the names of the cookies, and the options we use to set them.
|
||||||
_SESSION_COOKIES = [
|
_SESSION_COOKIES = [
|
||||||
(b"oidc_session", b"Path=/_synapse/client/oidc; HttpOnly; Secure; SameSite=None"),
|
(b"oidc_session", b"HttpOnly; Secure; SameSite=None"),
|
||||||
(b"oidc_session_no_samesite", b"Path=/_synapse/client/oidc; HttpOnly"),
|
(b"oidc_session_no_samesite", b"HttpOnly"),
|
||||||
]
|
]
|
||||||
|
|
||||||
#: A token exchanged from the token endpoint, as per RFC6749 sec 5.1. and
|
#: A token exchanged from the token endpoint, as per RFC6749 sec 5.1. and
|
||||||
|
@ -279,6 +279,13 @@ class OidcProvider:
|
||||||
self._config = provider
|
self._config = provider
|
||||||
self._callback_url = hs.config.oidc_callback_url # type: str
|
self._callback_url = hs.config.oidc_callback_url # type: str
|
||||||
|
|
||||||
|
# Calculate the prefix for OIDC callback paths based on the public_baseurl.
|
||||||
|
# We'll insert this into the Path= parameter of any session cookies we set.
|
||||||
|
public_baseurl_path = urlparse(hs.config.server.public_baseurl).path
|
||||||
|
self._callback_path_prefix = (
|
||||||
|
public_baseurl_path.encode("utf-8") + b"_synapse/client/oidc"
|
||||||
|
)
|
||||||
|
|
||||||
self._oidc_attribute_requirements = provider.attribute_requirements
|
self._oidc_attribute_requirements = provider.attribute_requirements
|
||||||
self._scopes = provider.scopes
|
self._scopes = provider.scopes
|
||||||
self._user_profile_method = provider.user_profile_method
|
self._user_profile_method = provider.user_profile_method
|
||||||
|
@ -779,8 +786,13 @@ class OidcProvider:
|
||||||
|
|
||||||
for cookie_name, options in _SESSION_COOKIES:
|
for cookie_name, options in _SESSION_COOKIES:
|
||||||
request.cookies.append(
|
request.cookies.append(
|
||||||
b"%s=%s; Max-Age=3600; %s"
|
b"%s=%s; Max-Age=3600; Path=%s; %s"
|
||||||
% (cookie_name, cookie.encode("utf-8"), options)
|
% (
|
||||||
|
cookie_name,
|
||||||
|
cookie.encode("utf-8"),
|
||||||
|
self._callback_path_prefix,
|
||||||
|
options,
|
||||||
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
metadata = await self.load_metadata()
|
metadata = await self.load_metadata()
|
||||||
|
|
Loading…
Reference in New Issue