Fix lint which broke in #18374 (#18385)

https://github.com/element-hq/synapse/pull/18374 did not pass linting but was merged
author: Quentin Gliech <quenting@element.io> 2025-05-02 14:07:23 +0200
committer: GitHub <noreply@github.com> 2025-05-02 12:07:23 +0000
commit: d18edf67d6f444c8dfa6a46e8769bbfa8d22f57b (patch)
tree: 2704bd97cda4a6f46058014b690a89c9a1c6b1ea
parent: Don't check the `at_hash` (access token hash) in OIDC ID Tokens if we don't u... (diff)
download: synapse-d18edf67d6f444c8dfa6a46e8769bbfa8d22f57b.tar.xz
2 files changed, 2 insertions, 1 deletions
diff --git a/changelog.d/18385.misc b/changelog.d/18385.misc
new file mode 100644
index 0000000000..a8efca68d0
--- /dev/null
+++ b/changelog.d/18385.misc
@@ -0,0 +1 @@
+Don't validate the `at_hash` (access token hash) field in OIDC ID Tokens if we don't end up actually using the OIDC Access Token.
\ No newline at end of file
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
index fb759172b3..acf2d4bc8b 100644
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@@ -599,7 +599,7 @@ class OidcProvider:
         # from the userinfo endpoint. Therefore we only have a single criteria
         # to check right now but this may change in the future and this function
         # should be updated if more usages are introduced.
-        # 
+        #
         # For example, if we start to use the access_token given to us by the
         # IdP for more things, such as accessing Resource Server APIs.
         return self._uses_userinfo
author	Quentin Gliech <quenting@element.io>	2025-05-02 14:07:23 +0200
committer	GitHub <noreply@github.com>	2025-05-02 12:07:23 +0000
commit	d18edf67d6f444c8dfa6a46e8769bbfa8d22f57b (patch)
tree	2704bd97cda4a6f46058014b690a89c9a1c6b1ea
parent	Don't check the `at_hash` (access token hash) in OIDC ID Tokens if we don't u... (diff)
download	synapse-d18edf67d6f444c8dfa6a46e8769bbfa8d22f57b.tar.xz