-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
The OpenID Connect authenticator does not use the userinfo endpoint by default #9316
Comments
The |
What I see in https://github.com/matrix-org/synapse/blob/v1.26.0/synapse/handlers/oidc_handler.py#L778 suggest me that the provider is supposed to take in input the userinfo so there is no reason for it to pull it. |
It seems for the display name that I won't have it if I don't set
I feel it would be much nicer to fallback on the standard OIDC "name" claim for example. |
This issue seems to conflate a couple of separate issues: one, whether we should use the userinfo endpoint by default; two, whether we can improve the defaults for populating displayname, email, etc. I think the first is discussed and resolved and #9315. The second is debatable, but if it's still a concern it might be best to open a new issue with a clearer description of the situation? |
No, this issue really was only related to the fact that the userinfo is not used by default which is quite surprising from OIDC point of view. I worked around it with #9315 is not really the same thing, I just missed that it was expected for the authenticator to ask the user for its id by default and assumed it was because the subject was containing upper case letters. |
Note that this behavior was added in #7658, that PR is quite confusing but there were some backwards compatibility concerns about always fetching it, I think? |
Right, sorry, I was finding it hard to get an overview of the issue. For the record, I believe a summary is:
I say sometimes false: many Authorization Servers return extra data in the I understand the proposal here is to call the That's not an unreasonable suggestion, though comes at the cost of a potentially redundant round-trip to the Identity Provider. However, I am a little wary of somehow breaking peoples' existing installations (eg their |
Sure but then it's not really OpenId Connect stuff. The OIDC specification seems to suggest in https://openid.net/specs/openid-connect-basic-1_0.html#rfc.section.2.5 that it is the job of the userinfo enpoint to provide the values of the standard claims related to user details (associated to the Where I agree is that if the only scope provided is "oidc" then there does not seem to be any point in accessing the userinfo enpoint (since you are supposed to explicitly request scopes like |
I don't get any of the user information (I would have expected to see at least the display name and the email) available through the userinfo endpoint (available in the discovery endpoint) synchronized with my matrix account.
According to https://github.com/matrix-org/synapse/blob/v1.26.0/synapse/handlers/oidc_handler.py#L342 the authenticator seems to assume that the concept of userinfo endpoint is not really part of the OpenID Connect protocol and expect user related claims to be provided by the id token as soon as the scopes contains "oidc".
From what I can see in the OIDC specification the only user related information the id token is supposed to contain is the subject and if the authenticator need to resolve all the user claims (those par of profile and email) it asked the authentication endpoint to authorize it's supposed to go through the userinfo endpoint.
Synapse version: 1.26.0
My oidc config:
I'm testing with https://app.element.io as client.
The text was updated successfully, but these errors were encountered: