summary refs log tree commit diff
path: root/synapse/config/oidc_config.py
diff options
context:
space:
mode:
authorRichard van der Hoff <1389908+richvdh@users.noreply.github.com>2021-01-20 13:55:14 +0000
committerGitHub <noreply@github.com>2021-01-20 08:55:14 -0500
commite51b2f3f912534c8f6af70c746c993352a05c1be (patch)
tree07f43a599c078d9c2861d0035def617fb2a33a39 /synapse/config/oidc_config.py
parentSupport icons for Identity Providers (#9154) (diff)
downloadsynapse-e51b2f3f912534c8f6af70c746c993352a05c1be.tar.xz
Tighten the restrictions on `idp_id` (#9177)
Diffstat (limited to '')
-rw-r--r--synapse/config/oidc_config.py12
1 files changed, 9 insertions, 3 deletions
diff --git a/synapse/config/oidc_config.py b/synapse/config/oidc_config.py
index f257fcd412..8cb0c42f36 100644
--- a/synapse/config/oidc_config.py
+++ b/synapse/config/oidc_config.py
@@ -331,17 +331,23 @@ def _parse_oidc_config_dict(
             config_path + ("user_mapping_provider", "module"),
         )
 
-    # MSC2858 will appy certain limits in what can be used as an IdP id, so let's
+    # MSC2858 will apply certain limits in what can be used as an IdP id, so let's
     # enforce those limits now.
+    # TODO: factor out this stuff to a generic function
     idp_id = oidc_config.get("idp_id", "oidc")
-    valid_idp_chars = set(string.ascii_letters + string.digits + "-._~")
+    valid_idp_chars = set(string.ascii_lowercase + string.digits + "-._")
 
     if any(c not in valid_idp_chars for c in idp_id):
         raise ConfigError(
-            'idp_id may only contain A-Z, a-z, 0-9, "-", ".", "_", "~"',
+            'idp_id may only contain a-z, 0-9, "-", ".", "_"',
             config_path + ("idp_id",),
         )
 
+    if idp_id[0] not in string.ascii_lowercase:
+        raise ConfigError(
+            "idp_id must start with a-z", config_path + ("idp_id",),
+        )
+
     # MSC2858 also specifies that the idp_icon must be a valid MXC uri
     idp_icon = oidc_config.get("idp_icon")
     if idp_icon is not None: