Combine the SSO Redirect Servlets (#9015)

* Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
2025-06-20 05:34:09 -04:00 · 2021-01-04 18:13:49 +00:00 · 2021-01-04 18:13:49 +00:00 · d2c616a413
commit d2c616a413
parent 31b1905e13
8 changed files with 174 additions and 113 deletions
--- a/synapse/handlers/oidc_handler.py
+++ b/synapse/handlers/oidc_handler.py
@ -119,10 +119,12 @@ class OidcHandler(BaseHandler):
        self._macaroon_secret_key = hs.config.macaroon_secret_key

        # identifier for the external_ids table
-        self._auth_provider_id = "oidc"
+        self.idp_id = "oidc"

        self._sso_handler = hs.get_sso_handler()

+        self._sso_handler.register_identity_provider(self)
+
    def _validate_metadata(self):
        """Verifies the provider metadata.

@ -475,7 +477,7 @@ class OidcHandler(BaseHandler):
    async def handle_redirect_request(
        self,
        request: SynapseRequest,
-        client_redirect_url: bytes,
+        client_redirect_url: Optional[bytes],
        ui_auth_session_id: Optional[str] = None,
    ) -> str:
        """Handle an incoming request to /login/sso/redirect
@ -499,7 +501,7 @@ class OidcHandler(BaseHandler):
            request: the incoming request from the browser.
                We'll respond to it with a redirect and a cookie.
            client_redirect_url: the URL that we should redirect the client to
-                when everything is done
+                when everything is done (or None for UI Auth)
            ui_auth_session_id: The session ID of the ongoing UI Auth (or
                None if this is a login).

@ -511,6 +513,9 @@ class OidcHandler(BaseHandler):
        state = generate_token()
        nonce = generate_token()

+        if not client_redirect_url:
+            client_redirect_url = b""
+
        cookie = self._generate_oidc_session_token(
            state=state,
            nonce=nonce,
@ -682,7 +687,7 @@ class OidcHandler(BaseHandler):
                return

            return await self._sso_handler.complete_sso_ui_auth_request(
-                self._auth_provider_id, remote_user_id, ui_auth_session_id, request
+                self.idp_id, remote_user_id, ui_auth_session_id, request
            )

        # otherwise, it's a login
@ -923,7 +928,7 @@ class OidcHandler(BaseHandler):
            extra_attributes = await get_extra_attributes(userinfo, token)

        await self._sso_handler.complete_sso_login_request(
-            self._auth_provider_id,
+            self.idp_id,
            remote_user_id,
            request,
            client_redirect_url,