Carry IdP Session IDs through user-mapping sessions. (#13839)

Since #11482, we're saving sessions IDs from upstream IdPs, but we've been losing them when the user goes through a user mapping session on account registration.
2022-09-27 15:38:14 +02:00 · 2022-09-27 15:38:14 +02:00 · 50c92f3a69
parent a95ce6dd08
commit 50c92f3a69
2 changed files with 10 additions and 0 deletions
--- a/changelog.d/13839.misc
+++ b/changelog.d/13839.misc
@ -0,0 +1 @@
+Carry IdP Session IDs through user-mapping sessions.
--- a/synapse/handlers/sso.py
+++ b/synapse/handlers/sso.py
@ -147,6 +147,9 @@ class UsernameMappingSession:
    # A unique identifier for this SSO provider, e.g.  "oidc" or "saml".
    auth_provider_id: str

+    # An optional session ID from the IdP.
+    auth_provider_session_id: Optional[str]
+
    # user ID on the IdP server
    remote_user_id: str

@ -464,6 +467,7 @@ class SsoHandler:
                        client_redirect_url,
                        next_step_url,
                        extra_login_attributes,
+                        auth_provider_session_id,
                    )

                user_id = await self._register_mapped_user(
@ -585,6 +589,7 @@ class SsoHandler:
        client_redirect_url: str,
        next_step_url: bytes,
        extra_login_attributes: Optional[JsonDict],
+        auth_provider_session_id: Optional[str],
    ) -> NoReturn:
        """Creates a UsernameMappingSession and redirects the browser

@ -607,6 +612,8 @@ class SsoHandler:
            extra_login_attributes: An optional dictionary of extra
                attributes to be provided to the client in the login response.

+            auth_provider_session_id: An optional session ID from the IdP.
+
        Raises:
            RedirectException
        """
@ -615,6 +622,7 @@ class SsoHandler:
        now = self._clock.time_msec()
        session = UsernameMappingSession(
            auth_provider_id=auth_provider_id,
+            auth_provider_session_id=auth_provider_session_id,
            remote_user_id=remote_user_id,
            display_name=attributes.display_name,
            emails=attributes.emails,
@ -968,6 +976,7 @@ class SsoHandler:
            session.client_redirect_url,
            session.extra_login_attributes,
            new_user=True,
+            auth_provider_session_id=session.auth_provider_session_id,
        )

    def _expire_old_sessions(self) -> None:
				`@ -0,0 +1 @@`
				`Carry IdP Session IDs through user-mapping sessions.`