From 245d5d66d3fb9a5682da22abe7c5a7cc165a7e0f Mon Sep 17 00:00:00 2001
From: David Robertson <davidr@element.io>
Date: Sun, 22 May 2022 18:32:02 +0100
Subject: ClientSecretJWTKey (needs testing)

---
 synapse/config/oidc2.py | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/synapse/config/oidc2.py b/synapse/config/oidc2.py
index ab1a79c272..07f400e0b3 100644
--- a/synapse/config/oidc2.py
+++ b/synapse/config/oidc2.py
@@ -57,6 +57,22 @@ class SSOAttributeRequirement(BaseModel):
     value: StrictStr
 
 
+class ClientSecretJWTKey(BaseModel):
+    class Config:
+        extra = "forbid"
+    # a pem-encoded signing key
+    # TODO: how should we handle key_file?
+    key: StrictStr
+
+    # properties to include in the JWT header
+    # TODO: validator should enforce that jwt_header contains an 'alg'.
+    jwt_header: Mapping[str, str]
+
+    # properties to include in the JWT payload.
+    jwt_payload: Mapping[str, str] = {}
+
+
+
 class OIDCProviderModel(BaseModel):
     """
     Notes on Pydantic:
@@ -115,9 +131,11 @@ class OIDCProviderModel(BaseModel):
 
     # key to use to construct a JWT to use as a client secret. May be `None` if
     # `client_secret` is set.
-    # TODO
-    client_secret_jwt_key: Optional[Any]  # OidcProviderClientSecretJwtKey]
+    # TODO: test that ClientSecretJWTKey is being parsed correctly
+    client_secret_jwt_key: Optional[ClientSecretJWTKey]
 
+    # TODO: what is the precise relationship between client_auth_method, client_secret
+    # and client_secret_jwt_key? Is there anything we should enforce with a validator?
     # auth method to use when exchanging the token.
     # Valid values are 'client_secret_basic', 'client_secret_post' and
     # 'none'.
-- 
cgit 1.5.1