Refactor config to be an experimental feature

Also enforce you can't combine it with incompatible config options

1 files changed, 9 insertions, 30 deletions

diff --git a/synapse/config/auth.py b/synapse/config/auth.py

index 25b5cc60dc..12e853980e 100644
--- a/synapse/config/auth.py
+++ b/synapse/config/auth.py
@@ -14,11 +14,9 @@
 # limitations under the License.
 from typing import Any
 
-from authlib.jose.rfc7517 import JsonWebKey
-
 from synapse.types import JsonDict
 
-from ._base import Config, ConfigError
+from ._base import Config
 
 
 class AuthConfig(Config):
@@ -31,7 +29,14 @@ class AuthConfig(Config):
         if password_config is None:
             password_config = {}
 
-        passwords_enabled = password_config.get("enabled", True)
+        # The default value of password_config.enabled is True, unless msc3861 is enabled.
+        msc3861_enabled = (
+            config.get("experimental_features", {})
+            .get("msc3861", {})
+            .get("enabled", False)
+        )
+        passwords_enabled = password_config.get("enabled", not msc3861_enabled)
+
         # 'only_for_reauth' allows users who have previously set a password to use it,
         # even though passwords would otherwise be disabled.
         passwords_for_reauth_only = passwords_enabled == "only_for_reauth"
@@ -55,29 +60,3 @@ class AuthConfig(Config):
         self.ui_auth_session_timeout = self.parse_duration(
             ui_auth.get("session_timeout", 0)
         )
-
-        oauth_delegation = config.get("oauth_delegation", {})
-        self.oauth_delegation_enabled = oauth_delegation.get("enabled", False)
-        self.oauth_delegation_issuer = oauth_delegation.get("issuer", "")
-        self.oauth_delegation_issuer_metadata = oauth_delegation.get("issuer_metadata")
-        self.oauth_delegation_account = oauth_delegation.get("account", "")
-        self.oauth_delegation_client_id = oauth_delegation.get("client_id", "")
-        self.oauth_delegation_client_secret = oauth_delegation.get("client_secret", "")
-        self.oauth_delegation_client_auth_method = oauth_delegation.get(
-            "client_auth_method", "client_secret_post"
-        )
-
-        self.password_enabled = password_config.get(
-            "enabled", not self.oauth_delegation_enabled
-        )
-
-        if self.oauth_delegation_client_auth_method == "private_key_jwt":
-            self.oauth_delegation_client_secret = JsonWebKey.import_key(
-                self.oauth_delegation_client_secret
-            )
-
-        # If we are delegating via OAuth then password cannot be supported as well
-        if self.oauth_delegation_enabled and self.password_enabled:
-            raise ConfigError(
-                "Password auth cannot be enabled when OAuth delegation is enabled"
-            )