Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OIDC config to add extra parameters to the authorize URL #16971

Merged
merged 5 commits into from
Mar 22, 2024
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/16971.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add an OIDC config to specify extra parameters for the authorization grant URL. IT can be useful to pass an ACR value for example.
5 changes: 5 additions & 0 deletions docs/usage/configuration/config_documentation.md
Original file line number Diff line number Diff line change
Expand Up @@ -3349,6 +3349,9 @@ Options for each entry include:
not included in `scopes`. Set to `userinfo_endpoint` to always use the
userinfo endpoint.

* `extra_grant_values`: String to string dictionary of values that will be passed as
extra parameters to the authorization grant URL.

* `allow_existing_users`: set to true to allow a user logging in via OIDC to
match a pre-existing account instead of failing. This could be used if
switching from password logins to OIDC. Defaults to false.
Expand Down Expand Up @@ -3473,6 +3476,8 @@ oidc_providers:
token_endpoint: "https://accounts.example.com/oauth2/token"
userinfo_endpoint: "https://accounts.example.com/userinfo"
jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
extra_grant_values:
MatMaul marked this conversation as resolved.
Show resolved Hide resolved
acr_values: 2fa
skip_verification: true
enable_registration: true
user_mapping_provider:
Expand Down
4 changes: 4 additions & 0 deletions synapse/config/oidc.py
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,7 @@ def _parse_oidc_config_dict(
user_mapping_provider_config=user_mapping_provider_config,
attribute_requirements=attribute_requirements,
enable_registration=oidc_config.get("enable_registration", True),
extra_grant_values=oidc_config.get("extra_grant_values", {}),
)


Expand Down Expand Up @@ -444,3 +445,6 @@ class OidcProviderConfig:

# Whether automatic registrations are enabled in the ODIC flow. Defaults to True
enable_registration: bool

# Extra parameters that will be passed to the authorization grant URL
extra_grant_values: Mapping[str, str]
4 changes: 3 additions & 1 deletion synapse/handlers/oidc.py
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,8 @@ def __init__(
# optional brand identifier for this auth provider
self.idp_brand = provider.idp_brand

self.extra_grant_values = provider.extra_grant_values

self._sso_handler = hs.get_sso_handler()
self._device_handler = hs.get_device_handler()

Expand Down Expand Up @@ -971,8 +973,8 @@ async def handle_redirect_request(

metadata = await self.load_metadata()

extra_grant_values = dict(self.extra_grant_values)
# Automatically enable PKCE if it is supported.
extra_grant_values = {}
if metadata.get("code_challenge_methods_supported"):
code_verifier = generate_token(48)

Expand Down
Loading