2025-05-05 03:54:58 -04:00 · 2020-10-01 19:54:35 +02:00 · 2020-10-01 19:54:35 +02:00 · 05ee048f2c
commit 05ee048f2c
parent 0b68577ed6
6 changed files with 65 additions and 15 deletions
--- a/synapse/handlers/oidc_handler.py
+++ b/synapse/handlers/oidc_handler.py
@ -96,6 +96,7 @@ class OidcHandler:
        self.hs = hs
        self._callback_url = hs.config.oidc_callback_url  # type: str
        self._scopes = hs.config.oidc_scopes  # type: List[str]
+        self._user_profile_method = hs.config.oidc_user_profile_method  # type: str
        self._client_auth = ClientAuth(
            hs.config.oidc_client_id,
            hs.config.oidc_client_secret,
@ -196,11 +197,11 @@ class OidcHandler:
                    % (m["response_types_supported"],)
                )

-        # If the openid scope was not requested, we need a userinfo endpoint to fetch user infos
+        # Ensure there's a userinfo endpoint to fetch from if it is required.
        if self._uses_userinfo:
            if m.get("userinfo_endpoint") is None:
                raise ValueError(
-                    'provider has no "userinfo_endpoint", even though it is required because the "openid" scope is not requested'
+                    'provider has no "userinfo_endpoint", even though it is required'
                )
        else:
            # If we're not using userinfo, we need a valid jwks to validate the ID token
@ -220,8 +221,10 @@ class OidcHandler:
        ``access_token`` with the ``userinfo_endpoint``.
        """

-        # Maybe that should be user-configurable and not inferred?
-        return "openid" not in self._scopes
+        return (
+            "openid" not in self._scopes
+            or self._user_profile_method == "userinfo_endpoint"
+        )

    async def load_metadata(self) -> OpenIDProviderMetadata:
        """Load and validate the provider metadata.