Skip to content

Add passthrough_authorization_parameters support to OIDC configuration #18232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 18 commits into from
Apr 10, 2025
Merged

Add passthrough_authorization_parameters support to OIDC configuration #18232

merged 18 commits into from
Apr 10, 2025

Conversation

@odelcroi
Copy link
Contributor

@odelcroi odelcroi commented Mar 12, 2025
edited
Loading

Add passthrough_authorization_parameters support to OIDC configuration

This PR adds the passthrough_authorization_parameters option to OIDC configuration, allowing specific query parameters (like login_hint) to be passed from the redirect endpoint to the authorization grant URL.

This enables clients to provide additional context to identity providers during authentication flows.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct
    (run the linters)

@odelcroi odelcroi requested a review from a team as a code owner March 12, 2025 15:26
@odelcroi odelcroi closed this Mar 18, 2025
@odelcroi odelcroi reopened this Mar 18, 2025
@odelcroi odelcroi closed this Mar 21, 2025
@odelcroi odelcroi reopened this Mar 21, 2025
sandhose
sandhose requested changes Apr 1, 2025
View reviewed changes
synapse/handlers/oidc.py
Copy link
Member

@sandhose sandhose Apr 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be an extension of the spec, which should go through the spec change process. Given that it's unlikely that such a spec change would land, I think it would make sense to instead have a generic option to 'passthrough' specific query parameters.

Something like

oidc_providers:
  - idp_id: 
    passthrough_authorization_parameters:
      - login_hint

And then passthrough any query parameter passed to /_matrix/client/v3/login/sso/redirect to the OIDC authorization request

Copy link
Contributor Author

@odelcroi odelcroi Apr 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for your inputs, makes sense, I've made the corresponding changes

@github-actions github-actions bot deployed to PR Documentation Preview April 1, 2025 14:14 Active
@github-actions github-actions bot deployed to PR Documentation Preview April 1, 2025 14:17 Active
@github-actions github-actions bot deployed to PR Documentation Preview April 1, 2025 14:19 Active
@github-actions github-actions bot deployed to PR Documentation Preview April 1, 2025 14:22 Active
@odelcroi odelcroi requested a review from sandhose April 1, 2025 15:19
odelcroi
odelcroi commented Apr 1, 2025
View reviewed changes
odelcroi
odelcroi commented Apr 1, 2025
View reviewed changes
@github-actions github-actions bot deployed to PR Documentation Preview April 1, 2025 15:25 Active
@odelcroi odelcroi changed the title Add support for the login_hint parameter in OIDC authentication flow Add passthrough_authorization_parameters support to OIDC configuration Apr 2, 2025
@github-actions github-actions bot deployed to PR Documentation Preview April 2, 2025 07:35 Active
@odelcroi odelcroi mentioned this pull request Apr 2, 2025
Closed
3 tasks
@github-actions github-actions bot deployed to PR Documentation Preview April 2, 2025 12:21 Active
@github-actions github-actions bot deployed to PR Documentation Preview April 3, 2025 08:11 Active
@odelcroi odelcroi closed this Apr 8, 2025
@odelcroi odelcroi reopened this Apr 8, 2025
@github-actions github-actions bot deployed to PR Documentation Preview April 8, 2025 12:15 Active
@github-actions github-actions bot deployed to PR Documentation Preview April 9, 2025 08:45 Active
@odelcroi odelcroi closed this Apr 10, 2025
@odelcroi odelcroi reopened this Apr 10, 2025
@github-actions github-actions bot deployed to PR Documentation Preview April 10, 2025 07:20 Active
sandhose
sandhose approved these changes Apr 10, 2025
View reviewed changes
Copy link
Member

@sandhose sandhose left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pretty nice and short in the end, thanks for doing this!

sandhose
sandhose reviewed Apr 10, 2025
View reviewed changes
@odelcroi odelcroi requested a review from sandhose April 10, 2025 13:11
@odelcroi
Copy link
Contributor Author

odelcroi commented Apr 10, 2025

@sandhose thanks 👍

@odelcroi odelcroi closed this Apr 10, 2025
@odelcroi odelcroi reopened this Apr 10, 2025
@sandhose sandhose enabled auto-merge (squash) April 10, 2025 13:13
@github-actions github-actions bot deployed to PR Documentation Preview April 10, 2025 13:13 Active
@github-actions github-actions bot deployed to PR Documentation Preview April 10, 2025 13:13 Active
@sandhose sandhose merged commit dd05cc5 into element-hq:develop Apr 10, 2025
52 of 73 checks passed
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jul 17, 2025
chat/matrix-synapse: Update to 1.134.0
58bfe11 
Builds on NetBSD 10 amd64, and builds/tests-ok on NetBSD 9 amd64 using
dependencies from 2025Q2.

NB: A security update to synapse is scheduled for July 22.  Consult
  https://matrix.org/blog/2025/07/security-predisclosure/
for further details.

Those running synapse in production may wish to update to 1.134.0 to
reduce the magnitude of change when updating to the July 22 version
(although that will be a big update regardless).  Note that the usual
pkgsrc pre-commit test is upgrading from the current pkgsrc version
and briefly checking operation.  Therefore, not upgrading has a
theoretical risk of encountering a 1.127.1 to 1.135.0 update bug when
1.127.1 to 134.0 and 1.134.0 to 1.135.0 are ok.

# Synapse 1.134.0 (2025-07-15)

- Support for [MSC4235](matrix-org/matrix-spec-proposals#4235): `via` query param for hierarchy endpoint. Contributed by Krishan (@kfiven). ([\#18070](element-hq/synapse#18070))
- Add `forget_forced_upon_leave` capability as per [MSC4267](matrix-org/matrix-spec-proposals#4267). ([\#18196](element-hq/synapse#18196))
- Add `federated_user_may_invite` spam checker callback which receives the entire invite event. Contributed by @tulir @ Beeper. ([\#18241](element-hq/synapse#18241))

# Synapse 1.133.0 (2025-07-01)

- Add support for the [MSC4260 user report API](matrix-org/matrix-spec-proposals#4260). ([\#18120](element-hq/synapse#18120))

# Synapse 1.132.0 (2025-06-17)

- Add support for [MSC4155](matrix-org/matrix-spec-proposals#4155) Invite Filtering. ([\#18288](element-hq/synapse#18288))
- Add experimental `user_may_send_state_event` module API callback. ([\#18455](element-hq/synapse#18455))
- Add experimental `get_media_config_for_user` and `is_user_allowed_to_upload_media_of_size` module API callbacks that allow overriding of media repository maximum upload size. ([\#18457](element-hq/synapse#18457))
- Add experimental `get_ratelimit_override_for_user` module API callback that allows overriding of per-user ratelimits. ([\#18458](element-hq/synapse#18458))
- Pass `room_config` argument to `user_may_create_room` spam checker module callback. ([\#18486](element-hq/synapse#18486))
- Support configuration of default and extra user types. ([\#18456](element-hq/synapse#18456))
- Successful requests to `/_matrix/app/v1/ping` will now force Synapse to reattempt delivering transactions to appservices. ([\#18521](element-hq/synapse#18521))
- Support the import of the `RatelimitOverride` type from `synapse.module_api` in modules and rename `messages_per_second` to `per_second`. ([\#18513](element-hq/synapse#18513))

# Synapse 1.131.0 (2025-06-03)

- Add `msc4263_limit_key_queries_to_users_who_share_rooms` config option as per [MSC4263](matrix-org/matrix-spec-proposals#4263). ([\#18180](element-hq/synapse#18180))
- Add option to allow registrations that begin with `_`. Contributed by `_` (@hex5f). ([\#18262](element-hq/synapse#18262))
- Include room ID in response to the [Room Deletion Status Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#status-of-deleting-rooms). ([\#18318](element-hq/synapse#18318))
- Add support for calling Policy Servers ([MSC4284](matrix-org/matrix-spec-proposals#4284)) to mark events as spam. ([\#18387](element-hq/synapse#18387))

# Synapse 1.130.0 (2025-05-20)

- Add an Admin API endpoint `GET /_synapse/admin/v1/scheduled_tasks`  to fetch scheduled tasks. ([\#18214](element-hq/synapse#18214))
- Add config option `user_directory.exclude_remote_users` which, when enabled, excludes remote users from user directory search results. ([\#18300](element-hq/synapse#18300))
- Add support for handling `GET /devices/` on workers. ([\#18355](element-hq/synapse#18355))


# Synapse 1.129.0 (2025-05-06)

- Add `passthrough_authorization_parameters` in OIDC configuration to allow passing parameters to the authorization grant URL. ([\#18232](element-hq/synapse#18232))
- Add `total_event_count`, `total_message_count`, and `total_e2ee_event_count` fields to the homeserver usage statistics. ([\#18260](element-hq/synapse#18260))

# Synapse 1.128.0 (2025-04-08)

- Add an access token introspection cache to make Matrix Authentication Service integration ([MSC3861](matrix-org/matrix-spec-proposals#3861)) more efficient. ([\#18231](element-hq/synapse#18231))
- Add background job to clear unreferenced state groups. ([\#18254](element-hq/synapse#18254))
- Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. ([\#18277](element-hq/synapse#18277), [\#18302](element-hq/synapse#18302), [\#18296](element-hq/synapse#18296))
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jul 18, 2025
@coypoop
Pullup ticket #6991 - requested by gdt
9806d2e 
chat/matrix-synapse: Update package in anticipation of security fix

Revisions pulled up:
- chat/matrix-synapse/Makefile                                  1.112
- chat/matrix-synapse/PLIST                                     1.59
- chat/matrix-synapse/cargo-depends.mk                          1.27
- chat/matrix-synapse/distinfo                                  1.80

---
   Module Name:    pkgsrc
   Committed By:   gdt
   Date:           Thu Jul 17 11:24:44 UTC 2025

   Modified Files:
           pkgsrc/chat/matrix-synapse: Makefile PLIST cargo-depends.mk distinfo

   Log Message:
   chat/matrix-synapse: Update to 1.134.0

   Builds on NetBSD 10 amd64, and builds/tests-ok on NetBSD 9 amd64 using
   dependencies from 2025Q2.

   NB: A security update to synapse is scheduled for July 22.  Consult
     https://matrix.org/blog/2025/07/security-predisclosure/
   for further details.

   Those running synapse in production may wish to update to 1.134.0 to
   reduce the magnitude of change when updating to the July 22 version
   (although that will be a big update regardless).  Note that the usual
   pkgsrc pre-commit test is upgrading from the current pkgsrc version
   and briefly checking operation.  Therefore, not upgrading has a
   theoretical risk of encountering a 1.127.1 to 1.135.0 update bug when
   1.127.1 to 134.0 and 1.134.0 to 1.135.0 are ok.

   # Synapse 1.134.0 (2025-07-15)

   - Support for [MSC4235](matrix-org/matrix-spec-proposals#4235): `via` query param for hierarchy endpoint. Contributed by Krishan (@kfiven).
   ([\#18070](element-hq/synapse#18070))
   - Add `forget_forced_upon_leave` capability as per [MSC4267](matrix-org/matrix-spec-proposals#4267). ([\#18196](element-hq/synapse#18196))
   - Add `federated_user_may_invite` spam checker callback which receives the entire invite event. Contributed by @tulir @ Beeper. ([\#18241](element-hq/synapse#18241))

   # Synapse 1.133.0 (2025-07-01)

   - Add support for the [MSC4260 user report API](matrix-org/matrix-spec-proposals#4260). ([\#18120](element-hq/synapse#18120))

   # Synapse 1.132.0 (2025-06-17)

   - Add support for [MSC4155](matrix-org/matrix-spec-proposals#4155) Invite Filtering. ([\#18288](element-hq/synapse#18288))
   - Add experimental `user_may_send_state_event` module API callback. ([\#18455](element-hq/synapse#18455))
   - Add experimental `get_media_config_for_user` and `is_user_allowed_to_upload_media_of_size` module API callbacks that allow overriding of media repository maximum upload size.
   ([\#18457](element-hq/synapse#18457))
   - Add experimental `get_ratelimit_override_for_user` module API callback that allows overriding of per-user ratelimits. ([\#18458](element-hq/synapse#18458))
   - Pass `room_config` argument to `user_may_create_room` spam checker module callback. ([\#18486](element-hq/synapse#18486))
   - Support configuration of default and extra user types. ([\#18456](element-hq/synapse#18456))
   - Successful requests to `/_matrix/app/v1/ping` will now force Synapse to reattempt delivering transactions to appservices. ([\#18521](element-hq/synapse#18521))
   - Support the import of the `RatelimitOverride` type from `synapse.module_api` in modules and rename `messages_per_second` to `per_second`.
   ([\#18513](element-hq/synapse#18513))

   # Synapse 1.131.0 (2025-06-03)

   - Add `msc4263_limit_key_queries_to_users_who_share_rooms` config option as per [MSC4263](matrix-org/matrix-spec-proposals#4263).
   ([\#18180](element-hq/synapse#18180))
   - Add option to allow registrations that begin with `_`. Contributed by `_` (@hex5f). ([\#18262](element-hq/synapse#18262))
   - Include room ID in response to the [Room Deletion Status Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#status-of-deleting-rooms).
   ([\#18318](element-hq/synapse#18318))
   - Add support for calling Policy Servers ([MSC4284](matrix-org/matrix-spec-proposals#4284)) to mark events as spam.
   ([\#18387](element-hq/synapse#18387))

   # Synapse 1.130.0 (2025-05-20)

   - Add an Admin API endpoint `GET /_synapse/admin/v1/scheduled_tasks`  to fetch scheduled tasks. ([\#18214](element-hq/synapse#18214))
   - Add config option `user_directory.exclude_remote_users` which, when enabled, excludes remote users from user directory search results. ([\#18300](element-hq/synapse#18300))
   - Add support for handling `GET /devices/` on workers. ([\#18355](element-hq/synapse#18355))

   # Synapse 1.129.0 (2025-05-06)

   - Add `passthrough_authorization_parameters` in OIDC configuration to allow passing parameters to the authorization grant URL. ([\#18232](element-hq/synapse#18232))
   - Add `total_event_count`, `total_message_count`, and `total_e2ee_event_count` fields to the homeserver usage statistics. ([\#18260](element-hq/synapse#18260))

   # Synapse 1.128.0 (2025-04-08)

   - Add an access token introspection cache to make Matrix Authentication Service integration ([MSC3861](matrix-org/matrix-spec-proposals#3861)) more efficient.
   ([\#18231](element-hq/synapse#18231))
   - Add background job to clear unreferenced state groups. ([\#18254](element-hq/synapse#18254))
   - Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. ([\#18277](element-hq/synapse#18277),
   [\#18302](element-hq/synapse#18302), [\#18296](element-hq/synapse#18296))
riastradh pushed a commit to riastradh/pkgsrc-test20250901 that referenced this pull request Sep 1, 2025
@coypoop
Pullup ticket #6991 - requested by gdt
0f22535 
chat/matrix-synapse: Update package in anticipation of security fix

Revisions pulled up:
- chat/matrix-synapse/Makefile                                  1.112
- chat/matrix-synapse/PLIST                                     1.59
- chat/matrix-synapse/cargo-depends.mk                          1.27
- chat/matrix-synapse/distinfo                                  1.80

---
   Module Name:    pkgsrc
   Committed By:   gdt
   Date:           Thu Jul 17 11:24:44 UTC 2025

   Modified Files:
           pkgsrc/chat/matrix-synapse: Makefile PLIST cargo-depends.mk distinfo

   Log Message:
   chat/matrix-synapse: Update to 1.134.0

   Builds on NetBSD 10 amd64, and builds/tests-ok on NetBSD 9 amd64 using
   dependencies from 2025Q2.

   NB: A security update to synapse is scheduled for July 22.  Consult
     https://matrix.org/blog/2025/07/security-predisclosure/
   for further details.

   Those running synapse in production may wish to update to 1.134.0 to
   reduce the magnitude of change when updating to the July 22 version
   (although that will be a big update regardless).  Note that the usual
   pkgsrc pre-commit test is upgrading from the current pkgsrc version
   and briefly checking operation.  Therefore, not upgrading has a
   theoretical risk of encountering a 1.127.1 to 1.135.0 update bug when
   1.127.1 to 134.0 and 1.134.0 to 1.135.0 are ok.

   # Synapse 1.134.0 (2025-07-15)

   - Support for [MSC4235](matrix-org/matrix-spec-proposals#4235): `via` query param for hierarchy endpoint. Contributed by Krishan (@kfiven).
   ([\#18070](element-hq/synapse#18070))
   - Add `forget_forced_upon_leave` capability as per [MSC4267](matrix-org/matrix-spec-proposals#4267). ([\#18196](element-hq/synapse#18196))
   - Add `federated_user_may_invite` spam checker callback which receives the entire invite event. Contributed by @tulir @ Beeper. ([\#18241](element-hq/synapse#18241))

   # Synapse 1.133.0 (2025-07-01)

   - Add support for the [MSC4260 user report API](matrix-org/matrix-spec-proposals#4260). ([\#18120](element-hq/synapse#18120))

   # Synapse 1.132.0 (2025-06-17)

   - Add support for [MSC4155](matrix-org/matrix-spec-proposals#4155) Invite Filtering. ([\#18288](element-hq/synapse#18288))
   - Add experimental `user_may_send_state_event` module API callback. ([\#18455](element-hq/synapse#18455))
   - Add experimental `get_media_config_for_user` and `is_user_allowed_to_upload_media_of_size` module API callbacks that allow overriding of media repository maximum upload size.
   ([\#18457](element-hq/synapse#18457))
   - Add experimental `get_ratelimit_override_for_user` module API callback that allows overriding of per-user ratelimits. ([\#18458](element-hq/synapse#18458))
   - Pass `room_config` argument to `user_may_create_room` spam checker module callback. ([\#18486](element-hq/synapse#18486))
   - Support configuration of default and extra user types. ([\#18456](element-hq/synapse#18456))
   - Successful requests to `/_matrix/app/v1/ping` will now force Synapse to reattempt delivering transactions to appservices. ([\#18521](element-hq/synapse#18521))
   - Support the import of the `RatelimitOverride` type from `synapse.module_api` in modules and rename `messages_per_second` to `per_second`.
   ([\#18513](element-hq/synapse#18513))

   # Synapse 1.131.0 (2025-06-03)

   - Add `msc4263_limit_key_queries_to_users_who_share_rooms` config option as per [MSC4263](matrix-org/matrix-spec-proposals#4263).
   ([\#18180](element-hq/synapse#18180))
   - Add option to allow registrations that begin with `_`. Contributed by `_` (@hex5f). ([\#18262](element-hq/synapse#18262))
   - Include room ID in response to the [Room Deletion Status Admin API](https://element-hq.github.io/synapse/latest/admin_api/rooms.html#status-of-deleting-rooms).
   ([\#18318](element-hq/synapse#18318))
   - Add support for calling Policy Servers ([MSC4284](matrix-org/matrix-spec-proposals#4284)) to mark events as spam.
   ([\#18387](element-hq/synapse#18387))

   # Synapse 1.130.0 (2025-05-20)

   - Add an Admin API endpoint `GET /_synapse/admin/v1/scheduled_tasks`  to fetch scheduled tasks. ([\#18214](element-hq/synapse#18214))
   - Add config option `user_directory.exclude_remote_users` which, when enabled, excludes remote users from user directory search results. ([\#18300](element-hq/synapse#18300))
   - Add support for handling `GET /devices/` on workers. ([\#18355](element-hq/synapse#18355))

   # Synapse 1.129.0 (2025-05-06)

   - Add `passthrough_authorization_parameters` in OIDC configuration to allow passing parameters to the authorization grant URL. ([\#18232](element-hq/synapse#18232))
   - Add `total_event_count`, `total_message_count`, and `total_e2ee_event_count` fields to the homeserver usage statistics. ([\#18260](element-hq/synapse#18260))

   # Synapse 1.128.0 (2025-04-08)

   - Add an access token introspection cache to make Matrix Authentication Service integration ([MSC3861](matrix-org/matrix-spec-proposals#3861)) more efficient.
   ([\#18231](element-hq/synapse#18231))
   - Add background job to clear unreferenced state groups. ([\#18254](element-hq/synapse#18254))
   - Hashes of media files are now tracked by Synapse. Media quarantines will now apply to all files with the same hash. ([\#18277](element-hq/synapse#18277),
   [\#18302](element-hq/synapse#18302), [\#18296](element-hq/synapse#18296))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sandhose sandhose sandhose approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odelcroi @sandhose