Save the OIDC session ID (sid) with the device on login (#11482)

As a step towards allowing back-channel logout for OIDC.
2025-05-17 03:32:13 -04:00 · 2021-12-06 18:43:06 +01:00 · 2021-12-06 18:43:06 +01:00 · a15a893df8
commit a15a893df8
parent 8b4b153c9e
15 changed files with 370 additions and 65 deletions
--- a/synapse/handlers/register.py
+++ b/synapse/handlers/register.py
@ -746,6 +746,7 @@ class RegistrationHandler:
        is_appservice_ghost: bool = False,
        auth_provider_id: Optional[str] = None,
        should_issue_refresh_token: bool = False,
+        auth_provider_session_id: Optional[str] = None,
    ) -> Tuple[str, str, Optional[int], Optional[str]]:
        """Register a device for a user and generate an access token.

@ -756,9 +757,9 @@ class RegistrationHandler:
            device_id: The device ID to check, or None to generate a new one.
            initial_display_name: An optional display name for the device.
            is_guest: Whether this is a guest account
-            auth_provider_id: The SSO IdP the user used, if any (just used for the
-                prometheus metrics).
+            auth_provider_id: The SSO IdP the user used, if any.
            should_issue_refresh_token: Whether it should also issue a refresh token
+            auth_provider_session_id: The session ID received during login from the SSO IdP.
        Returns:
            Tuple of device ID, access token, access token expiration time and refresh token
        """
@ -769,6 +770,8 @@ class RegistrationHandler:
            is_guest=is_guest,
            is_appservice_ghost=is_appservice_ghost,
            should_issue_refresh_token=should_issue_refresh_token,
+            auth_provider_id=auth_provider_id,
+            auth_provider_session_id=auth_provider_session_id,
        )

        login_counter.labels(
@ -791,6 +794,8 @@ class RegistrationHandler:
        is_guest: bool = False,
        is_appservice_ghost: bool = False,
        should_issue_refresh_token: bool = False,
+        auth_provider_id: Optional[str] = None,
+        auth_provider_session_id: Optional[str] = None,
    ) -> LoginDict:
        """Helper for register_device

@ -822,7 +827,11 @@ class RegistrationHandler:
        refresh_token_id = None

        registered_device_id = await self.device_handler.check_device_registered(
-            user_id, device_id, initial_display_name
+            user_id,
+            device_id,
+            initial_display_name,
+            auth_provider_id=auth_provider_id,
+            auth_provider_session_id=auth_provider_session_id,
        )
        if is_guest:
            assert access_token_expiry is None