From 33f64ca7d66c099c2f774ee2b5dd75eac008e345 Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Date: Tue, 16 Feb 2021 22:33:09 +0000
Subject: [PATCH] Allow OIDC config to override discovered values (#9384)

Fixes #9347
---
 changelog.d/9384.misc            |  1 +
 synapse/handlers/oidc_handler.py | 27 ++++++++++++++++++---------
 2 files changed, 19 insertions(+), 9 deletions(-)
 create mode 100644 changelog.d/9384.misc

diff --git a/changelog.d/9384.misc b/changelog.d/9384.misc
new file mode 100644
index 0000000000..9db61f44db
--- /dev/null
+++ b/changelog.d/9384.misc
@@ -0,0 +1 @@
+Allow OIDC config to override discovered values.
diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py
index 702bfb8bc9..c00b9c57c6 100644
--- a/synapse/handlers/oidc_handler.py
+++ b/synapse/handlers/oidc_handler.py
@@ -383,22 +383,31 @@ class OidcProvider:
         return await self._provider_metadata.get()
 
     async def _load_metadata(self) -> OpenIDProviderMetadata:
-        # init the metadata from our config
-        metadata = OpenIDProviderMetadata(
-            issuer=self._config.issuer,
-            authorization_endpoint=self._config.authorization_endpoint,
-            token_endpoint=self._config.token_endpoint,
-            userinfo_endpoint=self._config.userinfo_endpoint,
-            jwks_uri=self._config.jwks_uri,
-        )
+        # start out with just the issuer (unlike the other settings, discovered issuer
+        # takes precedence over configured issuer, because configured issuer is
+        # required for discovery to take place.)
+        #
+        metadata = OpenIDProviderMetadata(issuer=self._config.issuer)
 
         # load any data from the discovery endpoint, if enabled
         if self._config.discover:
             url = get_well_known_url(self._config.issuer, external=True)
             metadata_response = await self._http_client.get_json(url)
-            # TODO: maybe update the other way around to let user override some values?
             metadata.update(metadata_response)
 
+        # override any discovered data with any settings in our config
+        if self._config.authorization_endpoint:
+            metadata["authorization_endpoint"] = self._config.authorization_endpoint
+
+        if self._config.token_endpoint:
+            metadata["token_endpoint"] = self._config.token_endpoint
+
+        if self._config.userinfo_endpoint:
+            metadata["userinfo_endpoint"] = self._config.userinfo_endpoint
+
+        if self._config.jwks_uri:
+            metadata["jwks_uri"] = self._config.jwks_uri
+
         self._validate_metadata(metadata)
 
         return metadata
-- 
GitLab