MSC3861: allow overriding the introspection endpoint (#17406)

This makes it easier to go through an internal endpoint instead of the public facing URL when introspecting tokens, reducing latency.
element-hq · Jul 8, 2024 · c896030 · c896030
1 parent 4d7e537
commit c896030
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 2 deletions.
diff --git a/changelog.d/17406.misc b/changelog.d/17406.misc
@@ -0,0 +1 @@
+MSC3861: allow overriding the introspection endpoint.
diff --git a/synapse/api/auth/msc3861_delegated.py b/synapse/api/auth/msc3861_delegated.py
@@ -145,6 +145,18 @@ async def _load_metadata(self) -> OpenIDProviderMetadata:
         # metadata.validate_introspection_endpoint()
         return metadata
 
+    async def _introspection_endpoint(self) -> str:
+        """
+        Returns the introspection endpoint of the issuer
+
+        It uses the config option if set, otherwise it will use OIDC discovery to get it
+        """
+        if self._config.introspection_endpoint is not None:
+            return self._config.introspection_endpoint
+
+        metadata = await self._load_metadata()
+        return metadata.get("introspection_endpoint")
+
     async def _introspect_token(self, token: str) -> IntrospectionToken:
         """
         Send a token to the introspection endpoint and returns the introspection response
@@ -161,8 +173,7 @@ async def _introspect_token(self, token: str) -> IntrospectionToken:
         Returns:
             The introspection response
         """
-        metadata = await self._issuer_metadata.get()
-        introspection_endpoint = metadata.get("introspection_endpoint")
+        introspection_endpoint = await self._introspection_endpoint()
         raw_headers: Dict[str, str] = {
             "Content-Type": "application/x-www-form-urlencoded",
             "User-Agent": str(self._http_client.user_agent, "utf-8"),

diff --git a/synapse/config/experimental.py b/synapse/config/experimental.py
@@ -140,6 +140,12 @@ def _check_client_auth_method(
                 ("experimental", "msc3861", "client_auth_method"),
             )
 
+    introspection_endpoint: Optional[str] = attr.ib(
+        default=None,
+        validator=attr.validators.optional(attr.validators.instance_of(str)),
+    )
+    """The URL of the introspection endpoint used to validate access tokens."""
+
     account_management_url: Optional[str] = attr.ib(
         default=None,
         validator=attr.validators.optional(attr.validators.instance_of(str)),
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		MSC3861: allow overriding the introspection endpoint.