MSC3861: load the issuer and account management URLs from OIDC discovery (#17407)

This will help mitigating any discrepancies between the issuer
configured and the one returned by the OIDC provider.

This also removes the need for configuring the `account_management_url`
explicitely, as it will now be loaded from the OIDC discovery, as per
MSC2965.

Because we may now fetch stuff for the .well-known/matrix/client
endpoint, this also transforms the client well-known resource to be
asynchronous.

1 files changed, 11 insertions, 5 deletions

diff --git a/synapse/rest/client/auth.py b/synapse/rest/client/auth.py

index 32eeecd662..b8dca7c797 100644
--- a/synapse/rest/client/auth.py
+++ b/synapse/rest/client/auth.py
@@ -20,7 +20,7 @@
 #
 
 import logging
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, cast
 
 from twisted.web.server import Request
 
@@ -70,11 +70,17 @@ class AuthRestServlet(RestServlet):
             self.hs.config.experimental.msc3861.enabled
             and stagetype == "org.matrix.cross_signing_reset"
         ):
-            config = self.hs.config.experimental.msc3861
-            if config.account_management_url is not None:
-                url = f"{config.account_management_url}?action=org.matrix.cross_signing_reset"
+            # If MSC3861 is enabled, we can assume self._auth is an instance of MSC3861DelegatedAuth
+            # We import lazily here because of the authlib requirement
+            from synapse.api.auth.msc3861_delegated import MSC3861DelegatedAuth
+
+            auth = cast(MSC3861DelegatedAuth, self.auth)
+
+            url = await auth.account_management_url()
+            if url is not None:
+                url = f"{url}?action=org.matrix.cross_signing_reset"
             else:
-                url = config.issuer
+                url = await auth.issuer()
             respond_with_redirect(request, str.encode(url))
 
         if stagetype == LoginType.RECAPTCHA: