diff options
author | Brendan Abolivier <babolivier@matrix.org> | 2020-03-27 15:34:41 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-27 15:34:41 +0100 |
commit | 319c41f573eb14a966367b60b2e6e93bf6b028d9 (patch) | |
tree | e06b3dd08144f896551dea3a5b764b377f43be69 /synapse | |
parent | Merge tag 'v1.12.0' (diff) | |
parent | Update the wording of the config comment (diff) | |
download | synapse-319c41f573eb14a966367b60b2e6e93bf6b028d9.tar.xz |
Merge pull request #7153 from matrix-org/babolivier/sso_whitelist_login_fallback
Always whitelist the login fallback for SSO
Diffstat (limited to 'synapse')
-rw-r--r-- | synapse/config/sso.py | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/synapse/config/sso.py b/synapse/config/sso.py index 95762689bc..ec3dca9efc 100644 --- a/synapse/config/sso.py +++ b/synapse/config/sso.py @@ -39,6 +39,17 @@ class SSOConfig(Config): self.sso_client_whitelist = sso_config.get("client_whitelist") or [] + # Attempt to also whitelist the server's login fallback, since that fallback sets + # the redirect URL to itself (so it can process the login token then return + # gracefully to the client). This would make it pointless to ask the user for + # confirmation, since the URL the confirmation page would be showing wouldn't be + # the client's. + # public_baseurl is an optional setting, so we only add the fallback's URL to the + # list if it's provided (because we can't figure out what that URL is otherwise). + if self.public_baseurl: + login_fallback_url = self.public_baseurl + "_matrix/static/client/login" + self.sso_client_whitelist.append(login_fallback_url) + def generate_config_section(self, **kwargs): return """\ # Additional settings to use with single-sign on systems such as SAML2 and CAS. @@ -54,6 +65,10 @@ class SSOConfig(Config): # phishing attacks from evil.site. To avoid this, include a slash after the # hostname: "https://my.client/". # + # If public_baseurl is set, then the login fallback page (used by clients + # that don't natively support the required login flows) is whitelisted in + # addition to any URLs in this list. + # # By default, this list is empty. # #client_whitelist: |