From 1b4410063d630e36b03a6a607dd21f12c0b1a7dd Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Wed, 3 Jun 2020 14:49:59 -0400 Subject: [PATCH] Enable the token login type for OIDC. --- changelog.d/7631.bugfix | 1 + synapse/rest/client/v1/login.py | 11 +++-------- 2 files changed, 4 insertions(+), 8 deletions(-) create mode 100644 changelog.d/7631.bugfix diff --git a/changelog.d/7631.bugfix b/changelog.d/7631.bugfix new file mode 100644 index 000000000000..e358c7d8bc31 --- /dev/null +++ b/changelog.d/7631.bugfix @@ -0,0 +1 @@ +Support the `m.login.token` login flow when OpenID Connect is enabled. diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py index 36aca823462d..6ac7c5142b88 100644 --- a/synapse/rest/client/v1/login.py +++ b/synapse/rest/client/v1/login.py @@ -99,25 +99,20 @@ def on_GET(self, request): flows.append({"type": LoginRestServlet.JWT_TYPE}) if self.cas_enabled: - flows.append({"type": LoginRestServlet.SSO_TYPE}) - # we advertise CAS for backwards compat, though MSC1721 renamed it # to SSO. flows.append({"type": LoginRestServlet.CAS_TYPE}) + if self.cas_enabled or self.saml2_enabled or self.oidc_enabled: + flows.append({"type": LoginRestServlet.SSO_TYPE}) # While its valid for us to advertise this login type generally, # synapse currently only gives out these tokens as part of the - # CAS login flow. + # SSO login flow. # Generally we don't want to advertise login flows that clients # don't know how to implement, since they (currently) will always # fall back to the fallback API if they don't understand one of the # login flow types returned. flows.append({"type": LoginRestServlet.TOKEN_TYPE}) - elif self.saml2_enabled: - flows.append({"type": LoginRestServlet.SSO_TYPE}) - flows.append({"type": LoginRestServlet.TOKEN_TYPE}) - elif self.oidc_enabled: - flows.append({"type": LoginRestServlet.SSO_TYPE}) flows.extend( ({"type": t} for t in self.auth_handler.get_supported_login_types())