From 048c1ac7f6cb3c05ac71fcbb73db49d9a32b1984 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Tue, 21 Jan 2025 13:48:49 +0100
Subject: [PATCH] Support the new `/auth_metadata` endpoint defined in MSC2965.
(#18093)
See the updated MSC2965
---------
Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>
---
changelog.d/18093.feature | 1 +
synapse/api/auth/msc3861_delegated.py | 6 +
synapse/rest/__init__.py | 6 +-
.../{auth_issuer.py => auth_metadata.py} | 37 +++++
tests/rest/client/test_auth_issuer.py | 79 ----------
tests/rest/client/test_auth_metadata.py | 140 ++++++++++++++++++
6 files changed, 187 insertions(+), 82 deletions(-)
create mode 100644 changelog.d/18093.feature
rename synapse/rest/client/{auth_issuer.py => auth_metadata.py} (64%)
delete mode 100644 tests/rest/client/test_auth_issuer.py
create mode 100644 tests/rest/client/test_auth_metadata.py
diff --git a/changelog.d/18093.feature b/changelog.d/18093.feature
new file mode 100644
index 0000000000..689766ec0a
--- /dev/null
+++ b/changelog.d/18093.feature
@@ -0,0 +1 @@
+Support the new `/auth_metadata` endpoint defined in [MSC2965](https://github.com/matrix-org/matrix-spec-proposals/pull/2965).
\ No newline at end of file
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
index 53907c01d4..802ea51d18 100644
--- a/synapse/api/auth/msc3861_delegated.py
+++ b/synapse/api/auth/msc3861_delegated.py
@@ -174,6 +174,12 @@ class MSC3861DelegatedAuth(BaseAuth):
logger.warning("Failed to load metadata:", exc_info=True)
return None
+ async def auth_metadata(self) -> Dict[str, Any]:
+ """
+ Returns the auth metadata dict
+ """
+ return await self._issuer_metadata.get()
+
async def _introspection_endpoint(self) -> str:
"""
Returns the introspection endpoint of the issuer
diff --git a/synapse/rest/__init__.py b/synapse/rest/__init__.py
index 4e594e6595..2f1ef84e26 100644
--- a/synapse/rest/__init__.py
+++ b/synapse/rest/__init__.py
@@ -29,7 +29,7 @@ from synapse.rest.client import (
account_validity,
appservice_ping,
auth,
- auth_issuer,
+ auth_metadata,
capabilities,
delayed_events,
devices,
@@ -121,7 +121,7 @@ CLIENT_SERVLET_FUNCTIONS: Tuple[RegisterServletsFunc, ...] = (
mutual_rooms.register_servlets,
login_token_request.register_servlets,
rendezvous.register_servlets,
- auth_issuer.register_servlets,
+ auth_metadata.register_servlets,
)
SERVLET_GROUPS: Dict[str, Iterable[RegisterServletsFunc]] = {
@@ -187,7 +187,7 @@ class ClientRestResource(JsonResource):
mutual_rooms.register_servlets,
login_token_request.register_servlets,
rendezvous.register_servlets,
- auth_issuer.register_servlets,
+ auth_metadata.register_servlets,
]:
continue
diff --git a/synapse/rest/client/auth_issuer.py b/synapse/rest/client/auth_metadata.py
similarity index 64%
rename from synapse/rest/client/auth_issuer.py
rename to synapse/rest/client/auth_metadata.py
index acd0399d85..5444a89be6 100644
--- a/synapse/rest/client/auth_issuer.py
+++ b/synapse/rest/client/auth_metadata.py
@@ -32,6 +32,8 @@ logger = logging.getLogger(__name__)
class AuthIssuerServlet(RestServlet):
"""
Advertises what OpenID Connect issuer clients should use to authorise users.
+ This endpoint was defined in a previous iteration of MSC2965, and is still
+ used by some clients.
"""
PATTERNS = client_patterns(
@@ -63,7 +65,42 @@ class AuthIssuerServlet(RestServlet):
)
+class AuthMetadataServlet(RestServlet):
+ """
+ Advertises the OAuth 2.0 server metadata for the homeserver.
+ """
+
+ PATTERNS = client_patterns(
+ "/org.matrix.msc2965/auth_metadata$",
+ unstable=True,
+ releases=(),
+ )
+
+ def __init__(self, hs: "HomeServer"):
+ super().__init__()
+ self._config = hs.config
+ self._auth = hs.get_auth()
+
+ async def on_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
+ if self._config.experimental.msc3861.enabled:
+ # If MSC3861 is enabled, we can assume self._auth is an instance of MSC3861DelegatedAuth
+ # We import lazily here because of the authlib requirement
+ from synapse.api.auth.msc3861_delegated import MSC3861DelegatedAuth
+
+ auth = cast(MSC3861DelegatedAuth, self._auth)
+ return 200, await auth.auth_metadata()
+ else:
+ # Wouldn't expect this to be reached: the servlet shouldn't have been
+ # registered. Still, fail gracefully if we are registered for some reason.
+ raise SynapseError(
+ 404,
+ "OIDC discovery has not been configured on this homeserver",
+ Codes.NOT_FOUND,
+ )
+
+
def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
# We use the MSC3861 values as they are used by multiple MSCs
if hs.config.experimental.msc3861.enabled:
AuthIssuerServlet(hs).register(http_server)
+ AuthMetadataServlet(hs).register(http_server)
diff --git a/tests/rest/client/test_auth_issuer.py b/tests/rest/client/test_auth_issuer.py
deleted file mode 100644
index d6f334a7ab..0000000000
--- a/tests/rest/client/test_auth_issuer.py
+++ /dev/null
@@ -1,79 +0,0 @@
-# Copyright 2023 The Matrix.org Foundation C.I.C.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-from http import HTTPStatus
-from unittest.mock import AsyncMock
-
-from synapse.rest.client import auth_issuer
-
-from tests.unittest import HomeserverTestCase, override_config, skip_unless
-from tests.utils import HAS_AUTHLIB
-
-ISSUER = "https://account.example.com/"
-
-
-class AuthIssuerTestCase(HomeserverTestCase):
- servlets = [
- auth_issuer.register_servlets,
- ]
-
- def test_returns_404_when_msc3861_disabled(self) -> None:
- # Make an unauthenticated request for the discovery info.
- channel = self.make_request(
- "GET",
- "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
- )
- self.assertEqual(channel.code, HTTPStatus.NOT_FOUND)
-
- @skip_unless(HAS_AUTHLIB, "requires authlib")
- @override_config(
- {
- "disable_registration": True,
- "experimental_features": {
- "msc3861": {
- "enabled": True,
- "issuer": ISSUER,
- "client_id": "David Lister",
- "client_auth_method": "client_secret_post",
- "client_secret": "Who shot Mister Burns?",
- }
- },
- }
- )
- def test_returns_issuer_when_oidc_enabled(self) -> None:
- # Patch the HTTP client to return the issuer metadata
- req_mock = AsyncMock(return_value={"issuer": ISSUER})
- self.hs.get_proxied_http_client().get_json = req_mock # type: ignore[method-assign]
-
- channel = self.make_request(
- "GET",
- "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
- )
-
- self.assertEqual(channel.code, HTTPStatus.OK)
- self.assertEqual(channel.json_body, {"issuer": ISSUER})
-
- req_mock.assert_called_with(
- "https://account.example.com/.well-known/openid-configuration"
- )
- req_mock.reset_mock()
-
- # Second call it should use the cached value
- channel = self.make_request(
- "GET",
- "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
- )
-
- self.assertEqual(channel.code, HTTPStatus.OK)
- self.assertEqual(channel.json_body, {"issuer": ISSUER})
- req_mock.assert_not_called()
diff --git a/tests/rest/client/test_auth_metadata.py b/tests/rest/client/test_auth_metadata.py
new file mode 100644
index 0000000000..a935533b09
--- /dev/null
+++ b/tests/rest/client/test_auth_metadata.py
@@ -0,0 +1,140 @@
+#
+# This file is licensed under the Affero General Public License (AGPL) version 3.
+#
+# Copyright 2023 The Matrix.org Foundation C.I.C
+# Copyright (C) 2023-2025 New Vector, Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# See the GNU Affero General Public License for more details:
+# <https://www.gnu.org/licenses/agpl-3.0.html>.
+#
+# Originally licensed under the Apache License, Version 2.0:
+# <http://www.apache.org/licenses/LICENSE-2.0>.
+#
+# [This file includes modifications made by New Vector Limited]
+#
+from http import HTTPStatus
+from unittest.mock import AsyncMock
+
+from synapse.rest.client import auth_metadata
+
+from tests.unittest import HomeserverTestCase, override_config, skip_unless
+from tests.utils import HAS_AUTHLIB
+
+ISSUER = "https://account.example.com/"
+
+
+class AuthIssuerTestCase(HomeserverTestCase):
+ servlets = [
+ auth_metadata.register_servlets,
+ ]
+
+ def test_returns_404_when_msc3861_disabled(self) -> None:
+ # Make an unauthenticated request for the discovery info.
+ channel = self.make_request(
+ "GET",
+ "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
+ )
+ self.assertEqual(channel.code, HTTPStatus.NOT_FOUND)
+
+ @skip_unless(HAS_AUTHLIB, "requires authlib")
+ @override_config(
+ {
+ "disable_registration": True,
+ "experimental_features": {
+ "msc3861": {
+ "enabled": True,
+ "issuer": ISSUER,
+ "client_id": "David Lister",
+ "client_auth_method": "client_secret_post",
+ "client_secret": "Who shot Mister Burns?",
+ }
+ },
+ }
+ )
+ def test_returns_issuer_when_oidc_enabled(self) -> None:
+ # Patch the HTTP client to return the issuer metadata
+ req_mock = AsyncMock(return_value={"issuer": ISSUER})
+ self.hs.get_proxied_http_client().get_json = req_mock # type: ignore[method-assign]
+
+ channel = self.make_request(
+ "GET",
+ "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
+ )
+
+ self.assertEqual(channel.code, HTTPStatus.OK)
+ self.assertEqual(channel.json_body, {"issuer": ISSUER})
+
+ req_mock.assert_called_with(
+ "https://account.example.com/.well-known/openid-configuration"
+ )
+ req_mock.reset_mock()
+
+ # Second call it should use the cached value
+ channel = self.make_request(
+ "GET",
+ "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
+ )
+
+ self.assertEqual(channel.code, HTTPStatus.OK)
+ self.assertEqual(channel.json_body, {"issuer": ISSUER})
+ req_mock.assert_not_called()
+
+
+class AuthMetadataTestCase(HomeserverTestCase):
+ servlets = [
+ auth_metadata.register_servlets,
+ ]
+
+ def test_returns_404_when_msc3861_disabled(self) -> None:
+ # Make an unauthenticated request for the discovery info.
+ channel = self.make_request(
+ "GET",
+ "/_matrix/client/unstable/org.matrix.msc2965/auth_metadata",
+ )
+ self.assertEqual(channel.code, HTTPStatus.NOT_FOUND)
+
+ @skip_unless(HAS_AUTHLIB, "requires authlib")
+ @override_config(
+ {
+ "disable_registration": True,
+ "experimental_features": {
+ "msc3861": {
+ "enabled": True,
+ "issuer": ISSUER,
+ "client_id": "David Lister",
+ "client_auth_method": "client_secret_post",
+ "client_secret": "Who shot Mister Burns?",
+ }
+ },
+ }
+ )
+ def test_returns_issuer_when_oidc_enabled(self) -> None:
+ # Patch the HTTP client to return the issuer metadata
+ req_mock = AsyncMock(
+ return_value={
+ "issuer": ISSUER,
+ "authorization_endpoint": "https://example.com/auth",
+ "token_endpoint": "https://example.com/token",
+ }
+ )
+ self.hs.get_proxied_http_client().get_json = req_mock # type: ignore[method-assign]
+
+ channel = self.make_request(
+ "GET",
+ "/_matrix/client/unstable/org.matrix.msc2965/auth_metadata",
+ )
+
+ self.assertEqual(channel.code, HTTPStatus.OK)
+ self.assertEqual(
+ channel.json_body,
+ {
+ "issuer": ISSUER,
+ "authorization_endpoint": "https://example.com/auth",
+ "token_endpoint": "https://example.com/token",
+ },
+ )
--
GitLab