From 69507fec6e8b75ec18a069d1c4fba9376b478407 Mon Sep 17 00:00:00 2001
From: Mathieu Velten <mathieu.velten@beta.gouv.fr>
Date: Thu, 8 Feb 2024 21:04:39 +0100
Subject: [PATCH] Add an OIDC config to specify extra parameters for the grant
 URL

---
 changelog.d/16971.feature                        | 1 +
 docs/usage/configuration/config_documentation.md | 5 +++++
 synapse/config/oidc.py                           | 4 ++++
 synapse/handlers/oidc.py                         | 4 +++-
 4 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 changelog.d/16971.feature

diff --git a/changelog.d/16971.feature b/changelog.d/16971.feature
new file mode 100644
index 0000000000..9fdc88a322
--- /dev/null
+++ b/changelog.d/16971.feature
@@ -0,0 +1 @@
+Add an OIDC config to specify extra parameters for the authorization grant URL. IT can be useful to pass an ACR value for example.
diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md
index 638a459ed5..d09baeec80 100644
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -3349,6 +3349,9 @@ Options for each entry include:
    not included in `scopes`. Set to `userinfo_endpoint` to always use the
    userinfo endpoint.
 
+* `extra_grant_values`: String to string dictionary of values that will be passed as
+   extra parameters to the authorization grant URL.
+
 * `allow_existing_users`: set to true to allow a user logging in via OIDC to
    match a pre-existing account instead of failing. This could be used if
    switching from password logins to OIDC. Defaults to false.
@@ -3473,6 +3476,8 @@ oidc_providers:
     token_endpoint: "https://accounts.example.com/oauth2/token"
     userinfo_endpoint: "https://accounts.example.com/userinfo"
     jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
+    extra_grant_values:
+      acr_values: 2fa
     skip_verification: true
     enable_registration: true
     user_mapping_provider:
diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py
index 102dba0219..7f30c9afb0 100644
--- a/synapse/config/oidc.py
+++ b/synapse/config/oidc.py
@@ -342,6 +342,7 @@ def _parse_oidc_config_dict(
         user_mapping_provider_config=user_mapping_provider_config,
         attribute_requirements=attribute_requirements,
         enable_registration=oidc_config.get("enable_registration", True),
+        extra_grant_values=oidc_config.get("extra_grant_values", {}),
     )
 
 
@@ -444,3 +445,6 @@ class OidcProviderConfig:
 
     # Whether automatic registrations are enabled in the ODIC flow. Defaults to True
     enable_registration: bool
+
+    # Extra parameters that will be passed to the authorization grant URL
+    extra_grant_values: Mapping[str, str]
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
index fe13d82b66..1486a4a970 100644
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@@ -442,6 +442,8 @@ def __init__(
         # optional brand identifier for this auth provider
         self.idp_brand = provider.idp_brand
 
+        self.extra_grant_values = provider.extra_grant_values
+
         self._sso_handler = hs.get_sso_handler()
         self._device_handler = hs.get_device_handler()
 
@@ -971,8 +973,8 @@ async def handle_redirect_request(
 
         metadata = await self.load_metadata()
 
+        extra_grant_values = dict(self.extra_grant_values)
         # Automatically enable PKCE if it is supported.
-        extra_grant_values = {}
         if metadata.get("code_challenge_methods_supported"):
             code_verifier = generate_token(48)