Support the new /auth_metadata endpoint defined in MSC2965. (#18093)

See the updated MSC2965

---------

Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com>

changelog.d/18093.feature

@@ -0,0 +1 @@
+Support the new `/auth_metadata` endpoint defined in [MSC2965](https://github.com/matrix-org/matrix-spec-proposals/pull/2965).

synapse/api/auth/msc3861_delegated.py

@@ -174,6 +174,12 @@ class MSC3861DelegatedAuth(BaseAuth):
             logger.warning("Failed to load metadata:", exc_info=True)
             return None
 
+    async def auth_metadata(self) -> Dict[str, Any]:
+        """
+        Returns the auth metadata dict
+        """
+        return await self._issuer_metadata.get()
+
     async def _introspection_endpoint(self) -> str:
         """
         Returns the introspection endpoint of the issuer

synapse/rest/__init__.py

@@ -29,7 +29,7 @@ from synapse.rest.client import (
     account_validity,
     appservice_ping,
     auth,
-    auth_issuer,
+    auth_metadata,
     capabilities,
     delayed_events,
     devices,
@@ -121,7 +121,7 @@ CLIENT_SERVLET_FUNCTIONS: Tuple[RegisterServletsFunc, ...] = (
     mutual_rooms.register_servlets,
     login_token_request.register_servlets,
     rendezvous.register_servlets,
-    auth_issuer.register_servlets,
+    auth_metadata.register_servlets,
 )
 
 SERVLET_GROUPS: Dict[str, Iterable[RegisterServletsFunc]] = {
@@ -187,7 +187,7 @@ class ClientRestResource(JsonResource):
                     mutual_rooms.register_servlets,
                     login_token_request.register_servlets,
                     rendezvous.register_servlets,
-                    auth_issuer.register_servlets,
+                    auth_metadata.register_servlets,
                 ]:
                     continue
 

synapse/rest/client/auth_metadata.py

@@ -32,6 +32,8 @@ logger = logging.getLogger(__name__)
 class AuthIssuerServlet(RestServlet):
     """
     Advertises what OpenID Connect issuer clients should use to authorise users.
+    This endpoint was defined in a previous iteration of MSC2965, and is still
+    used by some clients.
     """
 
     PATTERNS = client_patterns(
@@ -63,7 +65,42 @@ class AuthIssuerServlet(RestServlet):
             )
 
 
+class AuthMetadataServlet(RestServlet):
+    """
+    Advertises the OAuth 2.0 server metadata for the homeserver.
+    """
+
+    PATTERNS = client_patterns(
+        "/org.matrix.msc2965/auth_metadata$",
+        unstable=True,
+        releases=(),
+    )
+
+    def __init__(self, hs: "HomeServer"):
+        super().__init__()
+        self._config = hs.config
+        self._auth = hs.get_auth()
+
+    async def on_GET(self, request: SynapseRequest) -> Tuple[int, JsonDict]:
+        if self._config.experimental.msc3861.enabled:
+            # If MSC3861 is enabled, we can assume self._auth is an instance of MSC3861DelegatedAuth
+            # We import lazily here because of the authlib requirement
+            from synapse.api.auth.msc3861_delegated import MSC3861DelegatedAuth
+
+            auth = cast(MSC3861DelegatedAuth, self._auth)
+            return 200, await auth.auth_metadata()
+        else:
+            # Wouldn't expect this to be reached: the servlet shouldn't have been
+            # registered. Still, fail gracefully if we are registered for some reason.
+            raise SynapseError(
+                404,
+                "OIDC discovery has not been configured on this homeserver",
+                Codes.NOT_FOUND,
+            )
+
+
 def register_servlets(hs: "HomeServer", http_server: HttpServer) -> None:
     # We use the MSC3861 values as they are used by multiple MSCs
     if hs.config.experimental.msc3861.enabled:
         AuthIssuerServlet(hs).register(http_server)
+        AuthMetadataServlet(hs).register(http_server)

tests/rest/client/test_auth_issuer.py

@@ -1,79 +0,0 @@
-# Copyright 2023 The Matrix.org Foundation C.I.C.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-from http import HTTPStatus
-from unittest.mock import AsyncMock
-
-from synapse.rest.client import auth_issuer
-
-from tests.unittest import HomeserverTestCase, override_config, skip_unless
-from tests.utils import HAS_AUTHLIB
-
-ISSUER = "https://account.example.com/"
-
-
-class AuthIssuerTestCase(HomeserverTestCase):
-    servlets = [
-        auth_issuer.register_servlets,
-    ]
-
-    def test_returns_404_when_msc3861_disabled(self) -> None:
-        # Make an unauthenticated request for the discovery info.
-        channel = self.make_request(
-            "GET",
-            "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
-        )
-        self.assertEqual(channel.code, HTTPStatus.NOT_FOUND)
-
-    @skip_unless(HAS_AUTHLIB, "requires authlib")
-    @override_config(
-        {
-            "disable_registration": True,
-            "experimental_features": {
-                "msc3861": {
-                    "enabled": True,
-                    "issuer": ISSUER,
-                    "client_id": "David Lister",
-                    "client_auth_method": "client_secret_post",
-                    "client_secret": "Who shot Mister Burns?",
-                }
-            },
-        }
-    )
-    def test_returns_issuer_when_oidc_enabled(self) -> None:
-        # Patch the HTTP client to return the issuer metadata
-        req_mock = AsyncMock(return_value={"issuer": ISSUER})
-        self.hs.get_proxied_http_client().get_json = req_mock  # type: ignore[method-assign]
-
-        channel = self.make_request(
-            "GET",
-            "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
-        )
-
-        self.assertEqual(channel.code, HTTPStatus.OK)
-        self.assertEqual(channel.json_body, {"issuer": ISSUER})
-
-        req_mock.assert_called_with(
-            "https://account.example.com/.well-known/openid-configuration"
-        )
-        req_mock.reset_mock()
-
-        # Second call it should use the cached value
-        channel = self.make_request(
-            "GET",
-            "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
-        )
-
-        self.assertEqual(channel.code, HTTPStatus.OK)
-        self.assertEqual(channel.json_body, {"issuer": ISSUER})
-        req_mock.assert_not_called()

tests/rest/client/test_auth_metadata.py

@@ -0,0 +1,140 @@
+#
+# This file is licensed under the Affero General Public License (AGPL) version 3.
+#
+# Copyright 2023 The Matrix.org Foundation C.I.C
+# Copyright (C) 2023-2025 New Vector, Ltd
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# See the GNU Affero General Public License for more details:
+# <https://www.gnu.org/licenses/agpl-3.0.html>.
+#
+# Originally licensed under the Apache License, Version 2.0:
+# <http://www.apache.org/licenses/LICENSE-2.0>.
+#
+# [This file includes modifications made by New Vector Limited]
+#
+from http import HTTPStatus
+from unittest.mock import AsyncMock
+
+from synapse.rest.client import auth_metadata
+
+from tests.unittest import HomeserverTestCase, override_config, skip_unless
+from tests.utils import HAS_AUTHLIB
+
+ISSUER = "https://account.example.com/"
+
+
+class AuthIssuerTestCase(HomeserverTestCase):
+    servlets = [
+        auth_metadata.register_servlets,
+    ]
+
+    def test_returns_404_when_msc3861_disabled(self) -> None:
+        # Make an unauthenticated request for the discovery info.
+        channel = self.make_request(
+            "GET",
+            "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
+        )
+        self.assertEqual(channel.code, HTTPStatus.NOT_FOUND)
+
+    @skip_unless(HAS_AUTHLIB, "requires authlib")
+    @override_config(
+        {
+            "disable_registration": True,
+            "experimental_features": {
+                "msc3861": {
+                    "enabled": True,
+                    "issuer": ISSUER,
+                    "client_id": "David Lister",
+                    "client_auth_method": "client_secret_post",
+                    "client_secret": "Who shot Mister Burns?",
+                }
+            },
+        }
+    )
+    def test_returns_issuer_when_oidc_enabled(self) -> None:
+        # Patch the HTTP client to return the issuer metadata
+        req_mock = AsyncMock(return_value={"issuer": ISSUER})
+        self.hs.get_proxied_http_client().get_json = req_mock  # type: ignore[method-assign]
+
+        channel = self.make_request(
+            "GET",
+            "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
+        )
+
+        self.assertEqual(channel.code, HTTPStatus.OK)
+        self.assertEqual(channel.json_body, {"issuer": ISSUER})
+
+        req_mock.assert_called_with(
+            "https://account.example.com/.well-known/openid-configuration"
+        )
+        req_mock.reset_mock()
+
+        # Second call it should use the cached value
+        channel = self.make_request(
+            "GET",
+            "/_matrix/client/unstable/org.matrix.msc2965/auth_issuer",
+        )
+
+        self.assertEqual(channel.code, HTTPStatus.OK)
+        self.assertEqual(channel.json_body, {"issuer": ISSUER})
+        req_mock.assert_not_called()
+
+
+class AuthMetadataTestCase(HomeserverTestCase):
+    servlets = [
+        auth_metadata.register_servlets,
+    ]
+
+    def test_returns_404_when_msc3861_disabled(self) -> None:
+        # Make an unauthenticated request for the discovery info.
+        channel = self.make_request(
+            "GET",
+            "/_matrix/client/unstable/org.matrix.msc2965/auth_metadata",
+        )
+        self.assertEqual(channel.code, HTTPStatus.NOT_FOUND)
+
+    @skip_unless(HAS_AUTHLIB, "requires authlib")
+    @override_config(
+        {
+            "disable_registration": True,
+            "experimental_features": {
+                "msc3861": {
+                    "enabled": True,
+                    "issuer": ISSUER,
+                    "client_id": "David Lister",
+                    "client_auth_method": "client_secret_post",
+                    "client_secret": "Who shot Mister Burns?",
+                }
+            },
+        }
+    )
+    def test_returns_issuer_when_oidc_enabled(self) -> None:
+        # Patch the HTTP client to return the issuer metadata
+        req_mock = AsyncMock(
+            return_value={
+                "issuer": ISSUER,
+                "authorization_endpoint": "https://example.com/auth",
+                "token_endpoint": "https://example.com/token",
+            }
+        )
+        self.hs.get_proxied_http_client().get_json = req_mock  # type: ignore[method-assign]
+
+        channel = self.make_request(
+            "GET",
+            "/_matrix/client/unstable/org.matrix.msc2965/auth_metadata",
+        )
+
+        self.assertEqual(channel.code, HTTPStatus.OK)
+        self.assertEqual(
+            channel.json_body,
+            {
+                "issuer": ISSUER,
+                "authorization_endpoint": "https://example.com/auth",
+                "token_endpoint": "https://example.com/token",
+            },
+        )