Add an openidish mechanism for proving to third parties that you own a given user_id

author: Mark Haines <mark.haines@matrix.org> 2016-05-05 13:42:44 +0100
committer: Mark Haines <mark.haines@matrix.org> 2016-05-05 13:42:44 +0100
commit: 9c272da05fcf51534aaa877647bc3b82bf841cf3 (patch)
tree: b4ad76ff6acd5d5e38907208065689fb37c42e4c /synapse/federation/transport
parent: Merge pull request #762 from matrix-org/erikj/report_event (diff)
download: synapse-9c272da05fcf51534aaa877647bc3b82bf841cf3.tar.xz
1 files changed, 46 insertions, 1 deletions
diff --git a/synapse/federation/transport/server.py b/synapse/federation/transport/server.py
index 3e552b6c44..5b6c7d11dd 100644
--- a/synapse/federation/transport/server.py
+++ b/synapse/federation/transport/server.py
@@ -18,7 +18,7 @@ from twisted.internet import defer
 from synapse.api.urls import FEDERATION_PREFIX as PREFIX
 from synapse.api.errors import Codes, SynapseError
 from synapse.http.server import JsonResource
-from synapse.http.servlet import parse_json_object_from_request
+from synapse.http.servlet import parse_json_object_from_request, parse_string
 from synapse.util.ratelimitutils import FederationRateLimiter
 
 import functools
@@ -448,6 +448,50 @@ class On3pidBindServlet(BaseFederationServlet):
         return code
 
 
+class OpenIdUserInfo(BaseFederationServlet):
+    """
+    Exchange a bearer token for information about a user.
+
+    The response format should be compatible with:
+        http://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
+
+    GET /openid/userinfo?access_token=ABDEFGH HTTP/1.1
+
+    HTTP/1.1 200 OK
+    Content-Type: application/json
+
+    {
+        "sub": "@userpart:example.org",
+    }
+    """
+
+    PATH = "/openid/userinfo"
+
+    @defer.inlineCallbacks
+    def on_GET(self, request):
+        token = parse_string(request, "access_token")
+        if token is None:
+            defer.returnValue((401, {
+                "errcode": "M_MISSING_TOKEN", "error": "Access Token required"
+            }))
+            return
+
+        user_id = yield self.handler.on_openid_userinfo(token)
+
+        if user_id is None:
+            defer.returnValue((401, {
+                "errcode": "M_UNKNOWN_TOKEN",
+                "error": "Access Token unknown or expired"
+            }))
+
+        defer.returnValue((200, {"sub": user_id}))
+
+    # Avoid doing remote HS authorization checks which are done by default by
+    # BaseFederationServlet.
+    def _wrap(self, code):
+        return code
+
+
 SERVLET_CLASSES = (
     FederationSendServlet,
     FederationPullServlet,
@@ -468,6 +512,7 @@ SERVLET_CLASSES = (
     FederationClientKeysClaimServlet,
     FederationThirdPartyInviteExchangeServlet,
     On3pidBindServlet,
+    OpenIdUserInfo,
 )
author	Mark Haines <mark.haines@matrix.org>	2016-05-05 13:42:44 +0100
committer	Mark Haines <mark.haines@matrix.org>	2016-05-05 13:42:44 +0100
commit	9c272da05fcf51534aaa877647bc3b82bf841cf3 (patch)
tree	b4ad76ff6acd5d5e38907208065689fb37c42e4c /synapse/federation/transport
parent	Merge pull request #762 from matrix-org/erikj/report_event (diff)
download	synapse-9c272da05fcf51534aaa877647bc3b82bf841cf3.tar.xz