diff --git a/changelog.d/9384.misc b/changelog.d/9384.misc new file mode 100644 index 000000000..9db61f44d --- /dev/null +++ b/changelog.d/9384.misc @@ -0,0 +1 @@ +Allow OIDC config to override discovered values. diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py index 702bfb8bc..c00b9c57c 100644 --- a/synapse/handlers/oidc_handler.py +++ b/synapse/handlers/oidc_handler.py @@ -383,22 +383,31 @@ class OidcProvider: return await self._provider_metadata.get() async def _load_metadata(self) -> OpenIDProviderMetadata: - # init the metadata from our config - metadata = OpenIDProviderMetadata( - issuer=self._config.issuer, - authorization_endpoint=self._config.authorization_endpoint, - token_endpoint=self._config.token_endpoint, - userinfo_endpoint=self._config.userinfo_endpoint, - jwks_uri=self._config.jwks_uri, - ) + # start out with just the issuer (unlike the other settings, discovered issuer + # takes precedence over configured issuer, because configured issuer is + # required for discovery to take place.) + # + metadata = OpenIDProviderMetadata(issuer=self._config.issuer) # load any data from the discovery endpoint, if enabled if self._config.discover: url = get_well_known_url(self._config.issuer, external=True) metadata_response = await self._http_client.get_json(url) - # TODO: maybe update the other way around to let user override some values? metadata.update(metadata_response) + # override any discovered data with any settings in our config + if self._config.authorization_endpoint: + metadata["authorization_endpoint"] = self._config.authorization_endpoint + + if self._config.token_endpoint: + metadata["token_endpoint"] = self._config.token_endpoint + + if self._config.userinfo_endpoint: + metadata["userinfo_endpoint"] = self._config.userinfo_endpoint + + if self._config.jwks_uri: + metadata["jwks_uri"] = self._config.jwks_uri + self._validate_metadata(metadata) return metadata