summary refs log tree commit diff
path: root/synapse
diff options
context:
space:
mode:
Diffstat (limited to 'synapse')
-rw-r--r--synapse/config/oidc.py6
-rw-r--r--synapse/handlers/oidc.py20
2 files changed, 20 insertions, 6 deletions
diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py
index 102dba0219..d0a03baf55 100644
--- a/synapse/config/oidc.py
+++ b/synapse/config/oidc.py
@@ -342,6 +342,9 @@ def _parse_oidc_config_dict(
         user_mapping_provider_config=user_mapping_provider_config,
         attribute_requirements=attribute_requirements,
         enable_registration=oidc_config.get("enable_registration", True),
+        additional_authorization_parameters=oidc_config.get(
+            "additional_authorization_parameters", {}
+        ),
     )
 
 
@@ -444,3 +447,6 @@ class OidcProviderConfig:
 
     # Whether automatic registrations are enabled in the ODIC flow. Defaults to True
     enable_registration: bool
+
+    # Additional parameters that will be passed to the authorization grant URL
+    additional_authorization_parameters: Mapping[str, str]
diff --git a/synapse/handlers/oidc.py b/synapse/handlers/oidc.py
index ab28dc800e..22b59829fa 100644
--- a/synapse/handlers/oidc.py
+++ b/synapse/handlers/oidc.py
@@ -453,6 +453,10 @@ class OidcProvider:
         # optional brand identifier for this auth provider
         self.idp_brand = provider.idp_brand
 
+        self.additional_authorization_parameters = (
+            provider.additional_authorization_parameters
+        )
+
         self._sso_handler = hs.get_sso_handler()
         self._device_handler = hs.get_device_handler()
 
@@ -1006,17 +1010,21 @@ class OidcProvider:
 
         metadata = await self.load_metadata()
 
+        additional_authorization_parameters = dict(
+            self.additional_authorization_parameters
+        )
         # Automatically enable PKCE if it is supported.
-        extra_grant_values = {}
         if metadata.get("code_challenge_methods_supported"):
             code_verifier = generate_token(48)
 
             # Note that we verified the server supports S256 earlier (in
             # OidcProvider._validate_metadata).
-            extra_grant_values = {
-                "code_challenge_method": "S256",
-                "code_challenge": create_s256_code_challenge(code_verifier),
-            }
+            additional_authorization_parameters.update(
+                {
+                    "code_challenge_method": "S256",
+                    "code_challenge": create_s256_code_challenge(code_verifier),
+                }
+            )
 
         cookie = self._macaroon_generaton.generate_oidc_session_token(
             state=state,
@@ -1055,7 +1063,7 @@ class OidcProvider:
             scope=self._scopes,
             state=state,
             nonce=nonce,
-            **extra_grant_values,
+            **additional_authorization_parameters,
         )
 
     async def handle_oidc_callback(