Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OIDC config to add extra parameters to the authorize URL #16971

Merged
merged 5 commits into from Mar 22, 2024
Merged

Add OIDC config to add extra parameters to the authorize URL #16971

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
69507fe
Add an OIDC config to specify extra parameters for the grant URL
MatMaul Feb 8, 2024
ce86044
Rename parameter to extra_authorize_parameters
MatMaul Mar 20, 2024
f936315
Merge remote-tracking branch 'origin/develop' into oidc-extra-grant-v…
MatMaul Mar 20, 2024
87ba40d
Rename to additional_authorization_parameters
MatMaul Mar 21, 2024
95d6503
lint
MatMaul Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/16971.feature
View file
Open in desktop
@@ -0,0 +1 @@
Add an OIDC config to specify extra parameters for the authorization grant URL. IT can be useful to pass an ACR value for example.
5 changes: 5 additions & 0 deletions docs/usage/configuration/config_documentation.md
View file
Open in desktop
Expand Up @@ -3349,6 +3349,9 @@ Options for each entry include:
not included in `scopes`. Set to `userinfo_endpoint` to always use the
userinfo endpoint.

* `extra_grant_values`: String to string dictionary of values that will be passed as
extra parameters to the authorization grant URL.

* `allow_existing_users`: set to true to allow a user logging in via OIDC to
match a pre-existing account instead of failing. This could be used if
switching from password logins to OIDC. Defaults to false.
Expand Down Expand Up @@ -3473,6 +3476,8 @@ oidc_providers:
token_endpoint: "https://accounts.example.com/oauth2/token"
userinfo_endpoint: "https://accounts.example.com/userinfo"
jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
extra_grant_values:
MatMaul marked this conversation as resolved.
Show resolved Hide resolved
acr_values: 2fa
skip_verification: true
enable_registration: true
user_mapping_provider:
Expand Down
4 changes: 4 additions & 0 deletions synapse/config/oidc.py
View file
Open in desktop
Expand Up @@ -342,6 +342,7 @@ def _parse_oidc_config_dict(
user_mapping_provider_config=user_mapping_provider_config,
attribute_requirements=attribute_requirements,
enable_registration=oidc_config.get("enable_registration", True),
extra_grant_values=oidc_config.get("extra_grant_values", {}),
)


Expand Down Expand Up @@ -444,3 +445,6 @@ class OidcProviderConfig:

# Whether automatic registrations are enabled in the ODIC flow. Defaults to True
enable_registration: bool

# Extra parameters that will be passed to the authorization grant URL
extra_grant_values: Mapping[str, str]
4 changes: 3 additions & 1 deletion synapse/handlers/oidc.py
View file
Open in desktop
Expand Up @@ -442,6 +442,8 @@ def __init__(
# optional brand identifier for this auth provider
self.idp_brand = provider.idp_brand

self.extra_grant_values = provider.extra_grant_values

self._sso_handler = hs.get_sso_handler()
self._device_handler = hs.get_device_handler()

Expand Down Expand Up @@ -971,8 +973,8 @@ async def handle_redirect_request(

metadata = await self.load_metadata()

extra_grant_values = dict(self.extra_grant_values)
# Automatically enable PKCE if it is supported.
extra_grant_values = {}
if metadata.get("code_challenge_methods_supported"):
code_verifier = generate_token(48)

Expand Down