Skip to content

Allow subpaths in MAS endpoints #19186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 18, 2025
+30 −24
Merged

Allow subpaths in MAS endpoints #19186

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ac71e83
Allow subpaths in MAS endpoints
devonh Nov 14, 2025
bd06006
Add changelog entry
devonh Nov 14, 2025
3512607
Fix linter error
devonh Nov 14, 2025
878a2fd
Change back to old way of url creation
devonh Nov 18, 2025
f7f13db
Merge branch 'develop' into devon/mas-subpath
devonh Nov 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/19186.bugfix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix regression preventing subpaths in MAS endpoints.
27 changes: 3 additions & 24 deletions synapse/api/auth/mas.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
from urllib.parse import urlencode

from pydantic import (
AnyHttpUrl,
BaseModel,
ConfigDict,
StrictBool,
Expand Down Expand Up @@ -147,33 +146,13 @@ def __init__(self, hs: "HomeServer"):

@property
def _metadata_url(self) -> str:
return str(
AnyHttpUrl.build(
scheme=self._config.endpoint.scheme,
username=self._config.endpoint.username,
password=self._config.endpoint.password,
host=self._config.endpoint.host or "",
port=self._config.endpoint.port,
path=".well-known/openid-configuration",
query=None,
fragment=None,
)
return (
f"{str(self._config.endpoint).rstrip('/')}/.well-known/openid-configuration"
)

@property
def _introspection_endpoint(self) -> str:
return str(
AnyHttpUrl.build(
scheme=self._config.endpoint.scheme,
username=self._config.endpoint.username,
password=self._config.endpoint.password,
host=self._config.endpoint.host or "",
port=self._config.endpoint.port,
path="oauth2/introspect",
query=None,
fragment=None,
)
)
return f"{str(self._config.endpoint).rstrip('/')}/oauth2/introspect"

async def _load_metadata(self) -> ServerMetadata:
response = await self._http_client.get_json(self._metadata_url)
Expand Down
26 changes: 26 additions & 0 deletions tests/handlers/test_oauth_delegation.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1057,6 +1057,32 @@ def test_cached_expired_introspection(self) -> None:
self.assertEqual(self.server.calls, 1)


class MasAuthDelegationWithSubpath(MasAuthDelegation):
"""Test MAS delegation when the MAS server is hosted on a subpath."""

def default_config(self) -> dict[str, Any]:
config = super().default_config()
# Override the endpoint to include a subpath
config["matrix_authentication_service"]["endpoint"] = (
self.server.endpoint + "auth/path/"
)
return config

def test_introspection_endpoint_uses_subpath(self) -> None:
"""Test that the introspection endpoint correctly uses the configured subpath."""
expected_introspection_url = (
self.server.endpoint + "auth/path/oauth2/introspect"
)
self.assertEqual(self._auth._introspection_endpoint, expected_introspection_url)

def test_metadata_url_uses_subpath(self) -> None:
"""Test that the metadata URL correctly uses the configured subpath."""
expected_metadata_url = (
self.server.endpoint + "auth/path/.well-known/openid-configuration"
)
self.assertEqual(self._auth._metadata_url, expected_metadata_url)


@parameterized_class(
("config",),
[
Expand Down
Loading