From 20c9ad05302d62514ea85d2c7fd5599578fd39b8 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Mon, 8 Jul 2024 11:09:57 +0200 Subject: [PATCH 1/2] MSC3861: allow overriding the introspection endpoint This makes it easier to go through an internal endpoint instead of the public facing URL when introspecting tokens, reducing latency. --- synapse/api/auth/msc3861_delegated.py | 15 +++++++++++++-- synapse/config/experimental.py | 6 ++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py index f61b39ded7..7361666c77 100644 --- a/synapse/api/auth/msc3861_delegated.py +++ b/synapse/api/auth/msc3861_delegated.py @@ -145,6 +145,18 @@ async def _load_metadata(self) -> OpenIDProviderMetadata: # metadata.validate_introspection_endpoint() return metadata + async def _introspection_endpoint(self) -> str: + """ + Returns the introspection endpoint of the issuer + + It uses the config option if set, otherwise it will use OIDC discovery to get it + """ + if self._config.introspection_endpoint is not None: + return self._config.introspection_endpoint + + metadata = await self._load_metadata() + return metadata.get("introspection_endpoint") + async def _introspect_token(self, token: str) -> IntrospectionToken: """ Send a token to the introspection endpoint and returns the introspection response @@ -161,8 +173,7 @@ async def _introspect_token(self, token: str) -> IntrospectionToken: Returns: The introspection response """ - metadata = await self._issuer_metadata.get() - introspection_endpoint = metadata.get("introspection_endpoint") + introspection_endpoint = await self._introspection_endpoint() raw_headers: Dict[str, str] = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": str(self._http_client.user_agent, "utf-8"), diff --git a/synapse/config/experimental.py b/synapse/config/experimental.py index 1b72727b75..74dd7eb549 100644 --- a/synapse/config/experimental.py +++ b/synapse/config/experimental.py @@ -140,6 +140,12 @@ def _check_client_auth_method( ("experimental", "msc3861", "client_auth_method"), ) + introspection_endpoint: Optional[str] = attr.ib( + default=None, + validator=attr.validators.optional(attr.validators.instance_of(str)), + ) + """The URL of the introspection endpoint used to validate access tokens.""" + account_management_url: Optional[str] = attr.ib( default=None, validator=attr.validators.optional(attr.validators.instance_of(str)), From ee91fd680586269144c4168d379c95d9b69f94de Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Mon, 8 Jul 2024 12:04:35 +0200 Subject: [PATCH 2/2] Newsfile. --- changelog.d/17406.misc | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/17406.misc diff --git a/changelog.d/17406.misc b/changelog.d/17406.misc new file mode 100644 index 0000000000..83f34cac43 --- /dev/null +++ b/changelog.d/17406.misc @@ -0,0 +1 @@ +MSC3861: allow overriding the introspection endpoint.