diff options
author | Patrick Cloke <clokep@users.noreply.github.com> | 2023-01-04 14:58:08 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-04 14:58:08 -0500 |
commit | 630d0aeaf607b4016e67895d81b0402a5dfcc769 (patch) | |
tree | 466fee9b2abd278925824eb602315f6c642aae90 /synapse/config/oidc.py | |
parent | Use env vars in GHA dependabot changelog (#14772) (diff) | |
download | synapse-630d0aeaf607b4016e67895d81b0402a5dfcc769.tar.xz |
Support RFC7636 PKCE in the OAuth 2.0 flow. (#14750)
PKCE can protect against certain attacks and is enabled by default. Support can be controlled manually by setting the pkce_method of each oidc_providers entry to 'auto' (default), 'always', or 'never'. This is required by Twitter OAuth 2.0 support.
Diffstat (limited to 'synapse/config/oidc.py')
-rw-r--r-- | synapse/config/oidc.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py index 0bd83f4010..df8c422043 100644 --- a/synapse/config/oidc.py +++ b/synapse/config/oidc.py @@ -117,6 +117,7 @@ OIDC_PROVIDER_CONFIG_SCHEMA = { # to avoid importing authlib here. "enum": ["client_secret_basic", "client_secret_post", "none"], }, + "pkce_method": {"type": "string", "enum": ["auto", "always", "never"]}, "scopes": {"type": "array", "items": {"type": "string"}}, "authorization_endpoint": {"type": "string"}, "token_endpoint": {"type": "string"}, @@ -289,6 +290,7 @@ def _parse_oidc_config_dict( client_secret=oidc_config.get("client_secret"), client_secret_jwt_key=client_secret_jwt_key, client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"), + pkce_method=oidc_config.get("pkce_method", "auto"), scopes=oidc_config.get("scopes", ["openid"]), authorization_endpoint=oidc_config.get("authorization_endpoint"), token_endpoint=oidc_config.get("token_endpoint"), @@ -357,6 +359,10 @@ class OidcProviderConfig: # 'none'. client_auth_method: str + # Whether to enable PKCE when exchanging the authorization & token. + # Valid values are 'auto', 'always', and 'never'. + pkce_method: str + # list of scopes to request scopes: Collection[str] |