Add config option for always using userinfo endpoint

synapse/config/oidc_config.py

@@ -56,6 +56,7 @@ def read_config(self, config, **kwargs):
         self.oidc_userinfo_endpoint = oidc_config.get("userinfo_endpoint")
         self.oidc_jwks_uri = oidc_config.get("jwks_uri")
         self.oidc_skip_verification = oidc_config.get("skip_verification", False)
+        self.oidc_uses_userinfo = oidc_config.get("uses_userinfo", False)
 
         ump_config = oidc_config.get("user_mapping_provider", {})
         ump_config.setdefault("module", DEFAULT_USER_MAPPING_PROVIDER)
@@ -158,6 +159,11 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs):
           #
           #skip_verification: true
 
+          # Always use userinfo endpoint. Required for providers that don't include user
+          # information in the token response, e.g. Gitlab.
+          #
+          #uses_userinfo: false
+
           # An external module can be provided here as a custom solution to mapping
           # attributes returned from a OIDC provider onto a matrix user.
           #

synapse/handlers/oidc_handler.py

@@ -94,6 +94,7 @@ class OidcHandler:
     def __init__(self, hs: HomeServer):
         self._callback_url = hs.config.oidc_callback_url  # type: str
         self._scopes = hs.config.oidc_scopes  # type: List[str]
+        self._uses_userinfo_config = hs.config.oidc_uses_userinfo  # type: bool
         self._client_auth = ClientAuth(
             hs.config.oidc_client_id,
             hs.config.oidc_client_secret,
@@ -224,8 +225,7 @@ def _uses_userinfo(self) -> bool:
         ``access_token`` with the ``userinfo_endpoint``.
         """
 
-        # Maybe that should be user-configurable and not inferred?
-        return "openid" not in self._scopes
+        return self._uses_userinfo_config or "openid" not in self._scopes
 
     async def load_metadata(self) -> OpenIDProviderMetadata:
         """Load and validate the provider metadata.