From 466994743ab10a590fc2e70ae8bbba4677049daa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andre=20Kl=C3=A4rner?= Date: Sat, 13 Dec 2025 01:07:39 +0100 Subject: [PATCH] Document importance of `public_baseurl` for delegation and OIDC (#19270) I just stumbled across the fact that my config used delegation as recommended by the docs, and hosted Synapse on a subdomain. However my config never had `public_baseurl` set and worked without issues, until I just now tried to setup OIDC. OIDC is initialized by the client instructing to open a URL on the homeserver, and initially the correct URL is called, but Synapse does not recognize it without `public_baseurl` being set correctly. After changing this it immediately started working. So in order to prevent anybody from making the same mistake, this adds a small clarifying block in the OIDC docs. --- changelog.d/19270.doc | 1 + docs/openid.md | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 changelog.d/19270.doc diff --git a/changelog.d/19270.doc b/changelog.d/19270.doc new file mode 100644 index 000000000..fdb7e2e51 --- /dev/null +++ b/changelog.d/19270.doc @@ -0,0 +1 @@ +Document the importance of `public_baseurl` when configuring OpenID Connect authentication. diff --git a/docs/openid.md b/docs/openid.md index 819f75439..e91d375c4 100644 --- a/docs/openid.md +++ b/docs/openid.md @@ -50,6 +50,11 @@ setting in your configuration file. See the [configuration manual](usage/configuration/config_documentation.md#oidc_providers) for some sample settings, as well as the text below for example configurations for specific providers. +For setups using [`.well-known` delegation](delegate.md), make sure +[`public_baseurl`](usage/configuration/config_documentation.md#public_baseurl) is set +appropriately. If unset, Synapse defaults to `https:///` which is used in +the OIDC callback URL. + ## OIDC Back-Channel Logout Synapse supports receiving [OpenID Connect Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) notifications.