summary refs log tree commit diff
path: root/synapse/config/oidc2.py
diff options
context:
space:
mode:
authorDavid Robertson <davidr@element.io>2022-05-21 21:42:08 +0100
committerDavid Robertson <davidr@element.io>2022-05-21 21:42:08 +0100
commit88f603f8452aada71c4ed1f43487f56c574a4519 (patch)
tree7ef9cbbba002448e63028fcc6a1c59328e4828bc /synapse/config/oidc2.py
parentendpoints are required if discovery is enabled (diff)
downloadsynapse-88f603f8452aada71c4ed1f43487f56c574a4519.tar.xz
ensure idp_id gets a prefix
Diffstat (limited to '')
-rw-r--r--synapse/config/oidc2.py14
1 files changed, 14 insertions, 0 deletions
diff --git a/synapse/config/oidc2.py b/synapse/config/oidc2.py
index 1e2f434867..e48b635e09 100644
--- a/synapse/config/oidc2.py
+++ b/synapse/config/oidc2.py
@@ -59,6 +59,20 @@ class OIDCProviderModel(BaseModel):
     # table, as well as the query/path parameter used in the login protocol.
     idp_id: IDP_ID_TYPE
 
+    @validator("idp_id")
+    def ensure_idp_id_prefix(cls: Type[BaseModel], idp_id: str) -> str:
+        """Prefix the given IDP with a prefix specific to the SSO mechanism, to avoid
+        clashes with other mechs (such as SAML, CAS).
+
+        We allow "oidc" as an exception so that people migrating from old-style
+        "oidc_config" format (which has long used "oidc" as its idp_id) can migrate to
+        a new-style "oidc_providers" entry without changing the idp_id for their provider
+        (and thereby invalidating their user_external_ids data).
+        """
+        if idp_id != "oidc":
+            return "oidc-" + idp_id
+        return idp_id
+
     # user-facing name for this identity provider.
     idp_name: StrictStr