summary refs log tree commit diff
path: root/synapse/config
diff options
context:
space:
mode:
authorRichard van der Hoff <richard@matrix.org>2020-03-27 20:24:52 +0000
committerRichard van der Hoff <richard@matrix.org>2020-03-27 20:24:52 +0000
commitb7da598a61a1bcea3855edf403bdc5ea32cc9e7a (patch)
tree541e73a57229f1eff436747d419764529d809250 /synapse/config
parentImprove the UX of the login fallback when using SSO (#7152) (diff)
downloadsynapse-b7da598a61a1bcea3855edf403bdc5ea32cc9e7a.tar.xz
Always whitelist the login fallback for SSO (#7153)
That fallback sets the redirect URL to itself (so it can process the login
token then return gracefully to the client). This would make it pointless to
ask the user for confirmation, since the URL the confirmation page would be
showing wouldn't be the client's.
Diffstat (limited to 'synapse/config')
-rw-r--r--synapse/config/sso.py15
1 files changed, 15 insertions, 0 deletions
diff --git a/synapse/config/sso.py b/synapse/config/sso.py
index 95762689bc..ec3dca9efc 100644
--- a/synapse/config/sso.py
+++ b/synapse/config/sso.py
@@ -39,6 +39,17 @@ class SSOConfig(Config):
 
         self.sso_client_whitelist = sso_config.get("client_whitelist") or []
 
+        # Attempt to also whitelist the server's login fallback, since that fallback sets
+        # the redirect URL to itself (so it can process the login token then return
+        # gracefully to the client). This would make it pointless to ask the user for
+        # confirmation, since the URL the confirmation page would be showing wouldn't be
+        # the client's.
+        # public_baseurl is an optional setting, so we only add the fallback's URL to the
+        # list if it's provided (because we can't figure out what that URL is otherwise).
+        if self.public_baseurl:
+            login_fallback_url = self.public_baseurl + "_matrix/static/client/login"
+            self.sso_client_whitelist.append(login_fallback_url)
+
     def generate_config_section(self, **kwargs):
         return """\
         # Additional settings to use with single-sign on systems such as SAML2 and CAS.
@@ -54,6 +65,10 @@ class SSOConfig(Config):
             # phishing attacks from evil.site. To avoid this, include a slash after the
             # hostname: "https://my.client/".
             #
+            # If public_baseurl is set, then the login fallback page (used by clients
+            # that don't natively support the required login flows) is whitelisted in
+            # addition to any URLs in this list.
+            #
             # By default, this list is empty.
             #
             #client_whitelist: