Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

SSO rest API for redirect is loaded if no SSO is configured #15402

Closed
dklimpel opened this issue Apr 6, 2023 · 2 comments · Fixed by #15421
Closed

SSO rest API for redirect is loaded if no SSO is configured #15402

dklimpel opened this issue Apr 6, 2023 · 2 comments · Fixed by #15421
Labels
A-SSO Single Sign-On (maybe OIDC) S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.

Comments

@dklimpel
Copy link
Contributor

dklimpel commented Apr 6, 2023

Description

Rest api is loaded and can be called if no SSO is configured.

API returns an error "Homeserver not configured for SSO." But I can not see why the server needs to be run this api.

Steps to reproduce

  • setup a new homeserver
  • request /_matrix/client/r0/login/sso/redirect?redirectUrl=www.example.org

Homeserver

another

Synapse Version

1.78.0

Installation Method

Docker (matrixdotorg/synapse)

Database

PostgreSQL

Workers

Single process

Platform

K8s

Configuration

only password login

Relevant log output

None

Anything else that would be useful to know?

Probably there could be a check here for SSO capabilities:

synapse/synapse/rest/client/login.py

Line 675 in 98fd558

SsoRedirectServlet(hs).register(http_server)

Similar to:

synapse/synapse/rest/client/login.py

Line 148 in 98fd558

if self.cas_enabled or self.saml2_enabled or self.oidc_enabled:

@erikjohnston
Copy link
Member

I'm in two minds about this one. Firstly, I think you have a point that its unnecessary, however I think it is useful for debugging purposes to see that the URL is correct but SSO has been disabled.

@dklimpel
Copy link
Contributor Author

dklimpel commented Apr 11, 2023
edited
Loading

IMO this kind of debugging or validating a configuration is not the right one for productive systems.
There is a feature flag. This flag is for disabling the feature and not only parts of it.
Loading the api also needs resources. Even if it is probably insignificant.

@reivilibre reivilibre added A-SSO Single Sign-On (maybe OIDC) S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. labels Apr 11, 2023
@dklimpel dklimpel mentioned this issue Apr 12, 2023
Merged
4 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
A-SSO Single Sign-On (maybe OIDC) S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Load SSO rest API for redirect only if SSO is enabled dklimpel/synapse_archive
3 participants
@dklimpel @erikjohnston @reivilibre