summary refs log tree commit diff
path: root/synapse/handlers
diff options
context:
space:
mode:
authorHubbe <HubbeKing@users.noreply.github.com>2021-03-16 17:46:07 +0200
committerGitHub <noreply@github.com>2021-03-16 11:46:07 -0400
commitdd5e5dc1d6c88a3532d25f18cfc312d8bc813473 (patch)
treee030d17da10e55b25a5389a350aff6ef55dc37cd /synapse/handlers
parentReturn m.change_password.enabled=false if local database is disabled (#9588) (diff)
downloadsynapse-dd5e5dc1d6c88a3532d25f18cfc312d8bc813473.tar.xz
Add SSO attribute requirements for OIDC providers (#9609)
Allows limiting who can login using OIDC via the claims
made from the IdP.
Diffstat (limited to 'synapse/handlers')
-rw-r--r--synapse/handlers/oidc_handler.py13
1 files changed, 13 insertions, 0 deletions
diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py
index 6d8551a6d6..bc3630e9e9 100644
--- a/synapse/handlers/oidc_handler.py
+++ b/synapse/handlers/oidc_handler.py
@@ -280,6 +280,7 @@ class OidcProvider:
         self._config = provider
         self._callback_url = hs.config.oidc_callback_url  # type: str
 
+        self._oidc_attribute_requirements = provider.attribute_requirements
         self._scopes = provider.scopes
         self._user_profile_method = provider.user_profile_method
 
@@ -859,6 +860,18 @@ class OidcProvider:
             )
 
         # otherwise, it's a login
+        logger.debug("Userinfo for OIDC login: %s", userinfo)
+
+        # Ensure that the attributes of the logged in user meet the required
+        # attributes by checking the userinfo against attribute_requirements
+        # In order to deal with the fact that OIDC userinfo can contain many
+        # types of data, we wrap non-list values in lists.
+        if not self._sso_handler.check_required_attributes(
+            request,
+            {k: v if isinstance(v, list) else [v] for k, v in userinfo.items()},
+            self._oidc_attribute_requirements,
+        ):
+            return
 
         # Call the mapper to register/login the user
         try: