Tighten the restrictions on `idp_id` (#9177)

e51b2f3f · Richard van der Hoff · GitHub · 0cd2938b · e51b2f3f · e51b2f3f
Unverified Commit e51b2f3f authored 4 years ago by Richard van der Hoff Committed by GitHub 4 years ago
--- a/changelog.d/9177.feature
+++ b/changelog.d/9177.feature
+Add support for multiple SSO Identity Providers.
--- a/synapse/config/oidc_config.py
+++ b/synapse/config/oidc_config.py
@@ -331,17 +331,23 @@ def _parse_oidc_config_dict(
            config_path + ("user_mapping_provider", "module"),
        )
-    # MSC2858 will appy certain limits in what can be used as an IdP id, so let's
+    # MSC2858 will apply certain limits in what can be used as an IdP id, so let's
    # enforce those limits now.
+    # TODO: factor out this stuff to a generic function
    idp_id = oidc_config.get("idp_id", "oidc")
-    valid_idp_chars = set(string.ascii_letters + string.digits + "-._~")
+    valid_idp_chars = set(string.ascii_lowercase + string.digits + "-._")
    if any(c not in valid_idp_chars for c in idp_id):
        raise ConfigError(
-            'idp_id may only contain A-Z, a-z, 0-9, "-", ".", "_", "~"',
+            'idp_id may only contain a-z, 0-9, "-", ".", "_"',
            config_path + ("idp_id",),
        )
+    if idp_id[0] not in string.ascii_lowercase:
+        raise ConfigError(
+            "idp_id must start with a-z", config_path + ("idp_id",),
+        )
    # MSC2858 also specifies that the idp_icon must be a valid MXC uri
    idp_icon = oidc_config.get("idp_icon")
    if idp_icon is not None: