Skip to content

Commit

Permalink
Add an OIDC config to specify extra parameters for the grant URL
Browse files Browse the repository at this point in the history
  • Loading branch information
MatMaul committed Mar 1, 2024
1 parent 274f289 commit 69507fe
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 1 deletion.
1 change: 1 addition & 0 deletions changelog.d/16971.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add an OIDC config to specify extra parameters for the authorization grant URL. IT can be useful to pass an ACR value for example.
5 changes: 5 additions & 0 deletions docs/usage/configuration/config_documentation.md
Original file line number Diff line number Diff line change
Expand Up @@ -3349,6 +3349,9 @@ Options for each entry include:
not included in `scopes`. Set to `userinfo_endpoint` to always use the
userinfo endpoint.

* `extra_grant_values`: String to string dictionary of values that will be passed as
extra parameters to the authorization grant URL.

* `allow_existing_users`: set to true to allow a user logging in via OIDC to
match a pre-existing account instead of failing. This could be used if
switching from password logins to OIDC. Defaults to false.
Expand Down Expand Up @@ -3473,6 +3476,8 @@ oidc_providers:
token_endpoint: "https://accounts.example.com/oauth2/token"
userinfo_endpoint: "https://accounts.example.com/userinfo"
jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
extra_grant_values:
acr_values: 2fa
skip_verification: true
enable_registration: true
user_mapping_provider:
Expand Down
4 changes: 4 additions & 0 deletions synapse/config/oidc.py
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,7 @@ def _parse_oidc_config_dict(
user_mapping_provider_config=user_mapping_provider_config,
attribute_requirements=attribute_requirements,
enable_registration=oidc_config.get("enable_registration", True),
extra_grant_values=oidc_config.get("extra_grant_values", {}),
)


Expand Down Expand Up @@ -444,3 +445,6 @@ class OidcProviderConfig:

# Whether automatic registrations are enabled in the ODIC flow. Defaults to True
enable_registration: bool

# Extra parameters that will be passed to the authorization grant URL
extra_grant_values: Mapping[str, str]
4 changes: 3 additions & 1 deletion synapse/handlers/oidc.py
Original file line number Diff line number Diff line change
Expand Up @@ -442,6 +442,8 @@ def __init__(
# optional brand identifier for this auth provider
self.idp_brand = provider.idp_brand

self.extra_grant_values = provider.extra_grant_values

self._sso_handler = hs.get_sso_handler()
self._device_handler = hs.get_device_handler()

Expand Down Expand Up @@ -971,8 +973,8 @@ async def handle_redirect_request(

metadata = await self.load_metadata()

extra_grant_values = dict(self.extra_grant_values)
# Automatically enable PKCE if it is supported.
extra_grant_values = {}
if metadata.get("code_challenge_methods_supported"):
code_verifier = generate_token(48)

Expand Down

0 comments on commit 69507fe

Please sign in to comment.