From bbaba3c27f38d1e7e0de6520e9b9f45fa7b66e1e Mon Sep 17 00:00:00 2001 From: David Robertson Date: Sat, 21 May 2022 21:41:38 +0100 Subject: endpoints are required if discovery is enabled --- synapse/config/oidc2.py | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'synapse') diff --git a/synapse/config/oidc2.py b/synapse/config/oidc2.py index a5f4b37b86..1e2f434867 100644 --- a/synapse/config/oidc2.py +++ b/synapse/config/oidc2.py @@ -101,13 +101,26 @@ class OIDCProviderModel(BaseModel): scopes: Tuple[StrictStr, ...] = ("openid",) # the oauth2 authorization endpoint. Required if discovery is disabled. - # TODO: required if discovery is disabled authorization_endpoint: Optional[StrictStr] # the oauth2 token endpoint. Required if discovery is disabled. - # TODO: required if discovery is disabled token_endpoint: Optional[StrictStr] + # Normally, validators aren't run when fields don't have a value provided. + # Using validate=True ensures we run the validator even in that situation. + @validator("authorization_endpoint", "token_endpoint", always=True) + def endpoints_required_if_discovery_disabled( + cls: Type["OIDCProviderModel"], + endpoint_url: Optional[str], + values: Mapping[str, Any], + field: ModelField, + ) -> Optional[str]: + # `if "discover" in values means: don't run our checks if "discover" didn't + # pass validation. (NB: validation order is the field definition order) + if "discover" in values and not values["discover"] and endpoint_url is None: + raise ValueError(f"{field.name} is required if discovery is disabled") + return endpoint_url + # the OIDC userinfo endpoint. Required if discovery is disabled and the # "openid" scope is not requested. # TODO: required if discovery is disabled and the openid scope isn't requested -- cgit 1.5.1