matrix-org · clokep · Oct 1, 2020 · Jun 8, 2020 · Jun 8, 2020 · Jun 8, 2020
@@ -0,0 +1 @@
+Add config option for always using userinfo endpoint for OpenID Connect with Gitlab. Contributed by Benjamin Koch.
@@ -1601,6 +1601,11 @@ oidc_config:
   #
   #skip_verification: true
 
+  # Always use userinfo endpoint. Required for providers that don't include
+  # user information in the token response, e.g. Gitlab.
+  #
+  #uses_userinfo: true
+
   # An external module can be provided here as a custom solution to mapping
   # attributes returned from a OIDC provider onto a matrix user.
   #

@@ -56,6 +56,7 @@ def read_config(self, config, **kwargs):
         self.oidc_userinfo_endpoint = oidc_config.get("userinfo_endpoint")
         self.oidc_jwks_uri = oidc_config.get("jwks_uri")
         self.oidc_skip_verification = oidc_config.get("skip_verification", False)
+        self.oidc_uses_userinfo = oidc_config.get("uses_userinfo", False)
 
         ump_config = oidc_config.get("user_mapping_provider", {})
         ump_config.setdefault("module", DEFAULT_USER_MAPPING_PROVIDER)
@@ -158,6 +159,11 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
           #
           #skip_verification: true
 
+          # Always use userinfo endpoint. Required for providers that don't include
+          # user information in the token response, e.g. Gitlab.
+          #
+          #uses_userinfo: true
+
           # An external module can be provided here as a custom solution to mapping
           # attributes returned from a OIDC provider onto a matrix user.
           #

@@ -94,6 +94,7 @@ class OidcHandler:
     def __init__(self, hs: HomeServer):
         self._callback_url = hs.config.oidc_callback_url  # type: str
         self._scopes = hs.config.oidc_scopes  # type: List[str]
+        self._uses_userinfo_config = hs.config.oidc_uses_userinfo  # type: bool
         self._client_auth = ClientAuth(
             hs.config.oidc_client_id,
             hs.config.oidc_client_secret,
@@ -224,8 +225,7 @@ def _uses_userinfo(self) -> bool:
         ``access_token`` with the ``userinfo_endpoint``.
         """
 
-        # Maybe that should be user-configurable and not inferred?
-        return "openid" not in self._scopes
+        return self._uses_userinfo_config or "openid" not in self._scopes
 
     async def load_metadata(self) -> OpenIDProviderMetadata:
         """Load and validate the provider metadata.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Add config option for always using userinfo endpoint for OpenID Connect with Gitlab. Contributed by Benjamin Koch.
clokep marked this conversation as resolved. Show resolved Hide resolved