From 524f65cb0c036c7128a7f47a12c494b85c3a07b0 Mon Sep 17 00:00:00 2001
From: Roman Isaev <mdnight@riseup.net>
Date: Mon, 30 Dec 2024 19:50:13 +0000
Subject: [PATCH] mas: add AccountTypeOIDCService

---
 setup/mscs/msc3861/msc3861_user_verifier.go | 5 ++---
 userapi/api/api.go                          | 2 ++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/setup/mscs/msc3861/msc3861_user_verifier.go b/setup/mscs/msc3861/msc3861_user_verifier.go
index 597b844e..c0f4342b 100644
--- a/setup/mscs/msc3861/msc3861_user_verifier.go
+++ b/setup/mscs/msc3861/msc3861_user_verifier.go
@@ -127,7 +127,7 @@ func (m *MSC3861UserVerifier) VerifyUserFromRequest(req *http.Request) (*api.Dev
 
 	// Do not record requests from MAS using the virtual `__oidc_admin` user.
 	if token != m.cfg.AdminToken {
-		// TODO: not sure which exact data we should record here. See the link for reference
+		// XXX: not sure which exact data we should record here. See the link for reference
 		// https://github.com/element-hq/synapse/blob/develop/synapse/api/auth/base.py#L365
 	}
 
@@ -156,7 +156,6 @@ func (m *MSC3861UserVerifier) getUserByAccessToken(ctx context.Context, token st
 		// XXX: This is a temporary solution so that the admin API can be called by
 		// the OIDC provider. This will be removed once we have OIDC client
 		// credentials grant support in matrix-authentication-service.
-		logger.Info("Admin token used")
 		// XXX: that user doesn't exist and won't be provisioned.
 		adminUser, err := createUserID("__oidc_admin", m.serverName)
 		if err != nil {
@@ -165,7 +164,7 @@ func (m *MSC3861UserVerifier) getUserByAccessToken(ctx context.Context, token st
 		return &requester{
 			UserID: adminUser,
 			Scope:  []string{"urn:synapse:admin:*"},
-			Device: &api.Device{UserID: adminUser.Local(), AccountType: api.AccountTypeAdmin},
+			Device: &api.Device{UserID: adminUser.Local(), AccountType: api.AccountTypeOIDCService},
 		}, nil
 	}
 
diff --git a/userapi/api/api.go b/userapi/api/api.go
index 5387276b..2efa8976 100644
--- a/userapi/api/api.go
+++ b/userapi/api/api.go
@@ -529,6 +529,8 @@ const (
 	AccountTypeAdmin AccountType = 3
 	// AccountTypeAppService indicates this is an appservice account
 	AccountTypeAppService AccountType = 4
+	// AccountTypeOIDC indicates this is an account belonging to Matrix Authentication Service (MAS)
+	AccountTypeOIDCService AccountType = 5
 )
 
 type QueryPushersRequest struct {