diff --git a/changelog.d/16806.misc b/changelog.d/16806.misc
new file mode 100644
index 0000000000..623338268b
--- /dev/null
+++ b/changelog.d/16806.misc
@@ -0,0 +1 @@
+Reject OIDC config when `client_secret` isn't specified, but the auth method requires one.
diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py
index 07ca16c94c..8f9cdbddbb 100644
--- a/synapse/config/oidc.py
+++ b/synapse/config/oidc.py
@@ -299,6 +299,19 @@ def _parse_oidc_config_dict(
config_path + ("client_secret",),
)
+ # If no client secret is specified then the auth method must be None
+ client_auth_method = oidc_config.get("client_auth_method")
+ if client_secret is None and client_secret_jwt_key is None:
+ if client_auth_method is None:
+ client_auth_method = "none"
+ elif client_auth_method != "none":
+ raise ConfigError(
+ "No 'client_secret' is set in OIDC config, and 'client_auth_method' is not set to 'none'"
+ )
+
+ if client_auth_method is None:
+ client_auth_method = "client_secret_basic"
+
return OidcProviderConfig(
idp_id=idp_id,
idp_name=oidc_config.get("idp_name", "OIDC"),
@@ -309,7 +322,7 @@ def _parse_oidc_config_dict(
client_id=oidc_config["client_id"],
client_secret=client_secret,
client_secret_jwt_key=client_secret_jwt_key,
- client_auth_method=oidc_config.get("client_auth_method", "client_secret_basic"),
+ client_auth_method=client_auth_method,
pkce_method=oidc_config.get("pkce_method", "auto"),
scopes=oidc_config.get("scopes", ["openid"]),
authorization_endpoint=oidc_config.get("authorization_endpoint"),
|
