Fix advertised flows when SSO is not in use

2 files changed, 16 insertions, 17 deletions

diff --git a/synapse/rest/client/login.py b/synapse/rest/client/login.py

index 896cf2cdbe..e04d4f2425 100644
--- a/synapse/rest/client/login.py
+++ b/synapse/rest/client/login.py
@@ -148,12 +148,10 @@ class LoginRestServlet(RestServlet):
             # to SSO.
             flows.append({"type": LoginRestServlet.CAS_TYPE})
 
-        if (
-            self.cas_enabled
-            or self.saml2_enabled
-            or self.oidc_enabled
-            or self._get_login_token_enabled
-        ):
+        # MSC3882 requires m.login.token to be advertised
+        supportLoginTokenFlow = self._get_login_token_enabled
+
+        if self.cas_enabled or self.saml2_enabled or self.oidc_enabled:
             flows.append(
                 {
                     "type": LoginRestServlet.SSO_TYPE,
@@ -164,13 +162,10 @@ class LoginRestServlet(RestServlet):
                 }
             )
 
-            # While it's valid for us to advertise this login type generally,
-            # synapse currently only gives out these tokens as part of the
-            # SSO login flow.
-            # Generally we don't want to advertise login flows that clients
-            # don't know how to implement, since they (currently) will always
-            # fall back to the fallback API if they don't understand one of the
-            # login flow types returned.
+            # SSO requires a login token to be generated, so we need to advertise that flow
+            supportLoginTokenFlow = True
+
+        if supportLoginTokenFlow:
             tokenTypeFlow: Dict[str, Any] = {"type": LoginRestServlet.TOKEN_TYPE}
             # If MSC3882 is enabled we advertise the get_login_token flag.
             if self._get_login_token_enabled:
diff --git a/tests/rest/client/test_login.py b/tests/rest/client/test_login.py

index 69b4638900..6f4135eea0 100644
--- a/tests/rest/client/test_login.py
+++ b/tests/rest/client/test_login.py
@@ -464,10 +464,14 @@ class LoginRestServletTestCase(unittest.HomeserverTestCase):
         channel = self.make_request("GET", "/_matrix/client/r0/login")
         self.assertEqual(channel.code, 200, channel.result)
 
-        print(channel.json_body)
-
-        flows = {flow["type"]: flow for flow in channel.json_body["flows"]}
-        self.assertTrue(flows["m.login.token"]["org.matrix.msc3882.get_login_token"])
+        self.assertCountEqual(
+            channel.json_body["flows"],
+            [
+                {"type": "m.login.token", "org.matrix.msc3882.get_login_token": True},
+                {"type": "m.login.password"},
+                {"type": "m.login.application_service"},
+            ],
+        )
 
 
 @skip_unless(has_saml2 and HAS_OIDC, "Requires SAML2 and OIDC")