summary refs log tree commit diff
diff options
context:
space:
mode:
authorQuentin Gliech <quenting@element.io>2024-07-08 14:08:11 +0200
committerGitHub <noreply@github.com>2024-07-08 14:08:11 +0200
commitc896030f679ad4987df015970a0c55aa4ffe8466 (patch)
tree5c2321fa8e2eb0a2c591b66b5c62492cdf963c6c
parentBump certifi from 2023.7.22 to 2024.7.4 (#17404) (diff)
downloadsynapse-c896030f679ad4987df015970a0c55aa4ffe8466.tar.xz
MSC3861: allow overriding the introspection endpoint (#17406)
This makes it easier to go through an internal endpoint instead of the
public facing URL when introspecting tokens, reducing latency.
-rw-r--r--changelog.d/17406.misc1
-rw-r--r--synapse/api/auth/msc3861_delegated.py15
-rw-r--r--synapse/config/experimental.py6
3 files changed, 20 insertions, 2 deletions
diff --git a/changelog.d/17406.misc b/changelog.d/17406.misc
new file mode 100644
index 0000000000..83f34cac43
--- /dev/null
+++ b/changelog.d/17406.misc
@@ -0,0 +1 @@
+MSC3861: allow overriding the introspection endpoint.
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
index f61b39ded7..7361666c77 100644
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -145,6 +145,18 @@ class MSC3861DelegatedAuth(BaseAuth):
         # metadata.validate_introspection_endpoint()
         return metadata
 
+    async def _introspection_endpoint(self) -> str:
+        """
+        Returns the introspection endpoint of the issuer
+
+        It uses the config option if set, otherwise it will use OIDC discovery to get it
+        """
+        if self._config.introspection_endpoint is not None:
+            return self._config.introspection_endpoint
+
+        metadata = await self._load_metadata()
+        return metadata.get("introspection_endpoint")
+
     async def _introspect_token(self, token: str) -> IntrospectionToken:
         """
         Send a token to the introspection endpoint and returns the introspection response
@@ -161,8 +173,7 @@ class MSC3861DelegatedAuth(BaseAuth):
         Returns:
             The introspection response
         """
-        metadata = await self._issuer_metadata.get()
-        introspection_endpoint = metadata.get("introspection_endpoint")
+        introspection_endpoint = await self._introspection_endpoint()
         raw_headers: Dict[str, str] = {
             "Content-Type": "application/x-www-form-urlencoded",
             "User-Agent": str(self._http_client.user_agent, "utf-8"),
diff --git a/synapse/config/experimental.py b/synapse/config/experimental.py
index c21b7eb37e..bae9cc8047 100644
--- a/synapse/config/experimental.py
+++ b/synapse/config/experimental.py
@@ -140,6 +140,12 @@ class MSC3861:
                 ("experimental", "msc3861", "client_auth_method"),
             )
 
+    introspection_endpoint: Optional[str] = attr.ib(
+        default=None,
+        validator=attr.validators.optional(attr.validators.instance_of(str)),
+    )
+    """The URL of the introspection endpoint used to validate access tokens."""
+
     account_management_url: Optional[str] = attr.ib(
         default=None,
         validator=attr.validators.optional(attr.validators.instance_of(str)),