Combine the SSO Redirect Servlets (#9015)

* Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
2025-05-06 13:34:58 -04:00 · 2021-01-04 18:13:49 +00:00 · 2021-01-04 18:13:49 +00:00 · d2c616a413
commit d2c616a413
parent 31b1905e13
8 changed files with 174 additions and 113 deletions
--- a/synapse/handlers/saml_handler.py
+++ b/synapse/handlers/saml_handler.py
@ -73,27 +73,38 @@ class SamlHandler(BaseHandler):
        )

        # identifier for the external_ids table
-        self._auth_provider_id = "saml"
+        self.idp_id = "saml"

        # a map from saml session id to Saml2SessionData object
        self._outstanding_requests_dict = {}  # type: Dict[str, Saml2SessionData]

        self._sso_handler = hs.get_sso_handler()
+        self._sso_handler.register_identity_provider(self)

-    def handle_redirect_request(
-        self, client_redirect_url: bytes, ui_auth_session_id: Optional[str] = None
-    ) -> bytes:
+    async def handle_redirect_request(
+        self,
+        request: SynapseRequest,
+        client_redirect_url: Optional[bytes],
+        ui_auth_session_id: Optional[str] = None,
+    ) -> str:
        """Handle an incoming request to /login/sso/redirect

        Args:
+            request: the incoming HTTP request
            client_redirect_url: the URL that we should redirect the
-                client to when everything is done
+                client to after login (or None for UI Auth).
            ui_auth_session_id: The session ID of the ongoing UI Auth (or
                None if this is a login).

        Returns:
            URL to redirect to
        """
+        if not client_redirect_url:
+            # Some SAML identity providers (e.g. Google) require a
+            # RelayState parameter on requests, so pass in a dummy redirect URL
+            # (which will never get used).
+            client_redirect_url = b"unused"
+
        reqid, info = self._saml_client.prepare_for_authenticate(
            entityid=self._saml_idp_entityid, relay_state=client_redirect_url
        )
@ -210,7 +221,7 @@ class SamlHandler(BaseHandler):
                return

            return await self._sso_handler.complete_sso_ui_auth_request(
-                self._auth_provider_id,
+                self.idp_id,
                remote_user_id,
                current_session.ui_auth_session_id,
                request,
@ -306,7 +317,7 @@ class SamlHandler(BaseHandler):
            return None

        await self._sso_handler.complete_sso_login_request(
-            self._auth_provider_id,
+            self.idp_id,
            remote_user_id,
            request,
            client_redirect_url,