Document importance of public_baseurl for delegation and OIDC (#19270)

I just stumbled across the fact that my config used delegation as recommended by the docs, and hosted Synapse on a subdomain. However my config never had `public_baseurl` set and worked without issues, until I just now tried to setup OIDC. OIDC is initialized by the client instructing to open a URL on the homeserver, and initially the correct URL is called, but Synapse does not recognize it without `public_baseurl` being set correctly. After changing this it immediately started working. So in order to prevent anybody from making the same mistake, this adds a small clarifying block in the OIDC docs.
2025-12-13 01:07:39 +01:00
parent df24e0f302
commit 466994743a
2 changed files with 6 additions and 0 deletions
--- a/changelog.d/19270.doc
+++ b/changelog.d/19270.doc
@@ -0,0 +1 @@
+Document the importance of `public_baseurl` when configuring OpenID Connect authentication.
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -50,6 +50,11 @@ setting in your configuration file.
 See the [configuration manual](usage/configuration/config_documentation.md#oidc_providers) for some sample settings, as well as
 the text below for example configurations for specific providers.

+For setups using [`.well-known` delegation](delegate.md), make sure
+[`public_baseurl`](usage/configuration/config_documentation.md#public_baseurl) is set
+appropriately. If unset, Synapse defaults to `https://<server_name>/` which is used in
+the OIDC callback URL.
+
 ## OIDC Back-Channel Logout

 Synapse supports receiving [OpenID Connect Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) notifications.
				`@@ -0,0 +1 @@`
				Document the importance of `public_baseurl` when configuring OpenID Connect authentication.