From f8ce002204f6a8612d2d9aea6afbf7df30094168 Mon Sep 17 00:00:00 2001 From: Patrick Cloke Date: Fri, 27 Mar 2020 09:33:46 -0400 Subject: [PATCH] Separate supported login types for login and UI Auth. --- synapse/handlers/auth.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/synapse/handlers/auth.py b/synapse/handlers/auth.py index d5ef011fcc86..cf3c3768c7cd 100644 --- a/synapse/handlers/auth.py +++ b/synapse/handlers/auth.py @@ -131,9 +131,14 @@ def __init__(self, hs): for t in provider.get_supported_login_types().keys(): if t not in login_types: login_types.append(t) - if self._saml2_enabled: - login_types.append(LoginType.SSO) self._supported_login_types = login_types + # Login types and UI Auth types have a heavy overlap, but are not + # necessarily identical. Login types have SSO (and other login types) + # added in the rest layer, see synapse.rest.client.v1.login.LoginRestServerlet.on_GET. + ui_auth_types = login_types.copy() + if self._saml2_enabled: + ui_auth_types.append(LoginType.SSO) + self._supported_ui_auth_types = ui_auth_types # Ratelimiter for failed auth during UIA. Uses same ratelimit config # as per `rc_login.failed_attempts`. @@ -214,7 +219,7 @@ def validate_user_via_ui_auth( ) # build a list of supported flows - flows = [[login_type] for login_type in self._supported_login_types] + flows = [[login_type] for login_type in self._supported_ui_auth_types] try: result, params, _ = yield self.check_auth(