diff options
| author | Hubbe <HubbeKing@users.noreply.github.com> | 2021-03-16 17:46:07 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-03-16 11:46:07 -0400 |
| commit | dd5e5dc1d6c88a3532d25f18cfc312d8bc813473 (patch) | |
| tree | e030d17da10e55b25a5389a350aff6ef55dc37cd /synapse/handlers/oidc_handler.py | |
| parent | Return m.change_password.enabled=false if local database is disabled (#9588) (diff) | |
| download | synapse-dd5e5dc1d6c88a3532d25f18cfc312d8bc813473.tar.xz | |
Add SSO attribute requirements for OIDC providers (#9609)
Allows limiting who can login using OIDC via the claims made from the IdP.
Diffstat (limited to 'synapse/handlers/oidc_handler.py')
| -rw-r--r-- | synapse/handlers/oidc_handler.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py index 6d8551a6d6..bc3630e9e9 100644 --- a/synapse/handlers/oidc_handler.py +++ b/synapse/handlers/oidc_handler.py @@ -280,6 +280,7 @@ class OidcProvider: self._config = provider self._callback_url = hs.config.oidc_callback_url # type: str + self._oidc_attribute_requirements = provider.attribute_requirements self._scopes = provider.scopes self._user_profile_method = provider.user_profile_method @@ -859,6 +860,18 @@ class OidcProvider: ) # otherwise, it's a login + logger.debug("Userinfo for OIDC login: %s", userinfo) + + # Ensure that the attributes of the logged in user meet the required + # attributes by checking the userinfo against attribute_requirements + # In order to deal with the fact that OIDC userinfo can contain many + # types of data, we wrap non-list values in lists. + if not self._sso_handler.check_required_attributes( + request, + {k: v if isinstance(v, list) else [v] for k, v in userinfo.items()}, + self._oidc_attribute_requirements, + ): + return # Call the mapper to register/login the user try: |