Support for form_post in OIDC responses (#9376)

Apple want to POST the OIDC auth response back to us rather than using query-params; add the necessary support to make that work.
2025-09-18 11:04:36 -04:00 · 2021-02-17 10:15:14 +00:00 · 2021-02-17 10:15:14 +00:00 · e1071fd625
commit e1071fd625
parent 33f64ca7d6
4 changed files with 78 additions and 36 deletions
--- a/synapse/rest/synapse/client/oidc/callback_resource.py
+++ b/synapse/rest/synapse/client/oidc/callback_resource.py
@ -12,19 +12,30 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
 import logging
+from typing import TYPE_CHECKING

 from synapse.http.server import DirectServeHtmlResource

+if TYPE_CHECKING:
+    from synapse.server import HomeServer
+
 logger = logging.getLogger(__name__)


 class OIDCCallbackResource(DirectServeHtmlResource):
    isLeaf = 1

-    def __init__(self, hs):
+    def __init__(self, hs: "HomeServer"):
        super().__init__()
        self._oidc_handler = hs.get_oidc_handler()

    async def _async_render_GET(self, request):
        await self._oidc_handler.handle_oidc_callback(request)
+
+    async def _async_render_POST(self, request):
+        # the auth response can be returned via an x-www-form-urlencoded form instead
+        # of GET params, as per
+        # https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html.
+        await self._oidc_handler.handle_oidc_callback(request)