diff options
author | David Robertson <davidr@element.io> | 2022-05-21 21:42:08 +0100 |
---|---|---|
committer | David Robertson <davidr@element.io> | 2022-05-21 21:42:08 +0100 |
commit | 88f603f8452aada71c4ed1f43487f56c574a4519 (patch) | |
tree | 7ef9cbbba002448e63028fcc6a1c59328e4828bc | |
parent | endpoints are required if discovery is enabled (diff) | |
download | synapse-88f603f8452aada71c4ed1f43487f56c574a4519.tar.xz |
ensure idp_id gets a prefix
-rw-r--r-- | synapse/config/oidc2.py | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/synapse/config/oidc2.py b/synapse/config/oidc2.py index 1e2f434867..e48b635e09 100644 --- a/synapse/config/oidc2.py +++ b/synapse/config/oidc2.py @@ -59,6 +59,20 @@ class OIDCProviderModel(BaseModel): # table, as well as the query/path parameter used in the login protocol. idp_id: IDP_ID_TYPE + @validator("idp_id") + def ensure_idp_id_prefix(cls: Type[BaseModel], idp_id: str) -> str: + """Prefix the given IDP with a prefix specific to the SSO mechanism, to avoid + clashes with other mechs (such as SAML, CAS). + + We allow "oidc" as an exception so that people migrating from old-style + "oidc_config" format (which has long used "oidc" as its idp_id) can migrate to + a new-style "oidc_providers" entry without changing the idp_id for their provider + (and thereby invalidating their user_external_ids data). + """ + if idp_id != "oidc": + return "oidc-" + idp_id + return idp_id + # user-facing name for this identity provider. idp_name: StrictStr |