summary refs log tree commit diff
path: root/synapse/handlers/oidc.py
diff options
context:
space:
mode:
authorMathieu Velten <mathieu.velten@beta.gouv.fr>2024-03-22 11:35:11 +0100
committerGitHub <noreply@github.com>2024-03-22 10:35:11 +0000
commitb7af076ab524c018992a05b031cd8e3533ab59d4 (patch)
tree5a2d86fc0e303ad2c0f6f37cbaf551627ca96d43 /synapse/handlers/oidc.py
parentDo not refuse to set read_marker if previous event_id is in wrong room (#16990) (diff)
downloadsynapse-b7af076ab524c018992a05b031cd8e3533ab59d4.tar.xz
Add OIDC config to add extra parameters to the authorize URL (#16971)
Diffstat (limited to '')
-rw-r--r--synapse/handlers/oidc.py20
1 files changed, 14 insertions, 6 deletions
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
index ab28dc800e..22b59829fa 100644
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@@ -453,6 +453,10 @@ class OidcProvider:
         # optional brand identifier for this auth provider
         self.idp_brand = provider.idp_brand
 
+        self.additional_authorization_parameters = (
+            provider.additional_authorization_parameters
+        )
+
         self._sso_handler = hs.get_sso_handler()
         self._device_handler = hs.get_device_handler()
 
@@ -1006,17 +1010,21 @@ class OidcProvider:
 
         metadata = await self.load_metadata()
 
+        additional_authorization_parameters = dict(
+            self.additional_authorization_parameters
+        )
         # Automatically enable PKCE if it is supported.
-        extra_grant_values = {}
         if metadata.get("code_challenge_methods_supported"):
             code_verifier = generate_token(48)
 
             # Note that we verified the server supports S256 earlier (in
             # OidcProvider._validate_metadata).
-            extra_grant_values = {
-                "code_challenge_method": "S256",
-                "code_challenge": create_s256_code_challenge(code_verifier),
-            }
+            additional_authorization_parameters.update(
+                {
+                    "code_challenge_method": "S256",
+                    "code_challenge": create_s256_code_challenge(code_verifier),
+                }
+            )
 
         cookie = self._macaroon_generaton.generate_oidc_session_token(
             state=state,
@@ -1055,7 +1063,7 @@ class OidcProvider:
             scope=self._scopes,
             state=state,
             nonce=nonce,
-            **extra_grant_values,
+            **additional_authorization_parameters,
         )
 
     async def handle_oidc_callback(