summary refs log tree commit diff
diff options
context:
space:
mode:
authorQuentin Gliech <quenting@element.io>2023-04-04 18:11:17 +0200
committerPatrick Cloke <clokep@users.noreply.github.com>2023-05-30 09:43:06 -0400
commitc008b44b4f7bb3604be77709c62e6ec78389f8ed (patch)
treec15b16ffbff06366b445c419a31b1e653fe71f98
parentTests for JWKS endpoint (diff)
downloadsynapse-c008b44b4f7bb3604be77709c62e6ec78389f8ed.tar.xz
Add an admin token for MAS -> Synapse calls
-rw-r--r--synapse/api/auth/msc3861_delegated.py15
-rw-r--r--synapse/config/experimental.py9
2 files changed, 24 insertions, 0 deletions
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
index 4ca3280bd3..a84b7730b3 100644
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -90,6 +90,7 @@ class MSC3861DelegatedAuth(BaseAuth):
 
         self._http_client = hs.get_proxied_http_client()
         self._hostname = hs.hostname
+        self._admin_token = self._config.admin_token
 
         self._issuer_metadata = RetryOnExceptionCachedCall(self._load_metadata)
 
@@ -176,6 +177,20 @@ class MSC3861DelegatedAuth(BaseAuth):
         token: str,
         allow_expired: bool = False,
     ) -> Requester:
+        if self._admin_token is not None and token == self._admin_token:
+            # XXX: This is a temporary solution so that the admin API can be called by
+            # the OIDC provider. This will be removed once we have OIDC client
+            # credentials grant support in matrix-authentication-service.
+            logging.info("Admin toked used")
+            # XXX: that user doesn't exist and won't be provisioned.
+            # This is mostly fine for admin calls, but we should also think about doing
+            # requesters without a user_id.
+            admin_user = UserID("__oidc_admin", self._hostname)
+            return create_requester(
+                user_id=admin_user,
+                scope=["urn:synapse:admin:*"],
+            )
+
         introspection_result = await self._introspect_token(token)
 
         logger.info(f"Introspection result: {introspection_result!r}")
diff --git a/synapse/config/experimental.py b/synapse/config/experimental.py
index b9607975f9..d4dff22b0b 100644
--- a/synapse/config/experimental.py
+++ b/synapse/config/experimental.py
@@ -136,6 +136,15 @@ class MSC3861:
     )
     """The URL of the My Account page on the OIDC Provider as per MSC2965."""
 
+    admin_token: Optional[str] = attr.ib(
+        default=None,
+        validator=attr.validators.optional(attr.validators.instance_of(str)),
+    )
+    """
+    A token that should be considered as an admin token.
+    This is used by the OIDC provider, to make admin calls to Synapse.
+    """
+
     def check_config_conflicts(self, root: RootConfig) -> None:
         """Checks for any configuration conflicts with other parts of Synapse.