Unexpected error if an OIDC IdP is configured without jwks_uri

[matrixbot]

This issue has been migrated from #12980.

---

If an IdP is configured with user_profile_method: "userinfo_endpoint", we allow it to not specify a jwks_uri property. jwks_uri is used if the IdP gives us an id_token, which is a JWT including profile information about the user being authenticated.

Initially, we would ignore id_token if the configured method to retrieve the user profile is userinfo_endpoint, which means in this case we don't care whether jwks_uri is defined. However, matrix-org/synapse#11482 changed this logic so that we always validate and parse the id_token, regardless of what user_profile_method is set to.

This means that if an IdP is configured to use the userinfo endpoint and doesn't have jwks_uri set, authenticating via this IdP will fail with this error:

This error is raised in this function:

https://github.com/matrix-org/synapse/blob/6ff99e3bea481790782c252c5433e9a88f65c4b0/synapse/handlers/oidc.py#L502-L514

Which still seems to think that it's impossible to reach it if the userinfo endpoint is used.

I chatted with @sandhose about this and the reasoning behind this logic is that if the IdP sends an id_token, it expects it to be validated.

I see a few ways to fix this issue:

1. raise early with a less cryptic error if we realise the IdP sent us an id_token but we don't have a jwks_uri in the config
2. make it mandatory to have jwks_uri set if the openid scope is listed in scopes
3. go back to ignoring the id_token if we're using the userinfo endpoint (we do nothing with it apart from validating it in this case anyway)

I would lean towards 2, as it looks like the openid scope basically tells the IdP it should send an id_token. However, I don't have much context or knowledge around the OIDC spec and its implementation in Synapse, so I'd be happy to read others' opinions.