Misc changes

Mainly adds a warning if the user_mapping_provider is not using the `sub` claim as subject Signed-off-by: Quentin Gliech <quenting@element.io>
matrix-org · Sep 16, 2022 · 6bfda89 · 6bfda89
1 parent 89c5216
commit 6bfda89
Showing 1 changed file with 22 additions and 3 deletions.
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
@@ -258,7 +258,7 @@ async def handle_backchannel_logout(self, request: SynapseRequest) -> None:
         """Handle an incoming request to /_synapse/client/oidc/backchannel_logout
 
         This extracts the logout_token from the request and tries to figure out
-        which account it is associated with. This works by matching the iss claim
+        which OpenID Provider it is comming from. This works by matching the iss claim
         with the issuer and the aud claim with the client_id.
 
         Since at this point we don't know who signed the JWT, we can't just
@@ -268,7 +268,6 @@ async def handle_backchannel_logout(self, request: SynapseRequest) -> None:
         Args:
             request: the incoming request from the browser.
         """
-        logger.warn("OHAI")
         logout_token = parse_string(request, "logout_token")
         if logout_token is None:
             raise SynapseError(400, "Missing logout_token in request")
@@ -286,7 +285,7 @@ async def handle_backchannel_logout(self, request: SynapseRequest) -> None:
 
         try:
             payload_bytes = unpaddedbase64.decode_base64(payload)
-            claims = json_decoder.decode(payload_bytes.decode('utf-8'))
+            claims = json_decoder.decode(payload_bytes.decode("utf-8"))
         except (json.JSONDecodeError, binascii.Error, UnicodeError):
             raise SynapseError(400, "Invalid logout_token payload in request")
 
@@ -497,6 +496,22 @@ def _validate_metadata(self, m: OpenIDProviderMetadata) -> None:
                     self.issuer,
                 )
 
+            # If OIDC backchannel logouts are enabled, the provider mapping provider
+            # should use the `sub` claim. We verify that by mapping a dumb user and see
+            # if we get back the sub claim
+            user = UserInfo({"sub": "thisisasubject"})
+            try:
+                subject = self._user_mapping_provider.get_remote_user_id(user)
+                if subject != user["sub"]:
+                    raise Exception()
+            except Exception:
+                logger.warning(
+                    "OIDC Back-Channel Logout is enabled for issuer %r but it looks "
+                    "like the configured `user_mapping_provider` does not use the "
+                    "`sub` claim as subject, which may be resuired for logouts to work",
+                    self.issuer,
+                )
+
     @property
     def _uses_userinfo(self) -> bool:
         """Returns True if the ``userinfo_endpoint`` should be used.
@@ -1233,6 +1248,10 @@ async def handle_backchannel_logout(
             auth_provider_id=self.idp_id,
             auth_provider_session_id=sid,
         )
+
+        # We have no guarantee that all the devices of that session are for the same
+        # `user_id`. Hence, we have to iterate over the list of devices and log them out
+        # one by one.
         for device in devices:
             user_id = device["user_id"]
             device_id = device["device_id"]