From fd91555f1af0becf41f6ecc7a276de6114aefc04 Mon Sep 17 00:00:00 2001 From: Azrenbeth Date: Tue, 7 Sep 2021 16:19:34 +0000 Subject: deploy: e7b78dcc4a6bf8fdb71782640932da8dff7cc5ed --- latest/openid.html | 64 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 57 insertions(+), 7 deletions(-) (limited to 'latest/openid.html') diff --git a/latest/openid.html b/latest/openid.html index f0f293c057..2105f59418 100644 --- a/latest/openid.html +++ b/latest/openid.html @@ -99,7 +99,7 @@ @@ -250,7 +250,7 @@ Edit your Synapse config file and change the oidc_config section: -

Dex

+

Dex

Dex is a simple, open-source, certified OpenID Connect Provider. Although it is designed to help building a full-blown provider with an external database, it can be configured with static passwords in a config file.

@@ -279,7 +279,7 @@ to install Dex.

localpart_template: "{{ user.name }}" display_name_template: "{{ user.name|capitalize }}" -

Keycloak

+

Keycloak

Keycloak is an opensource IdP maintained by Red Hat.

Follow the Getting Started Guide to install Keycloak and set up a realm.

    @@ -328,7 +328,8 @@ to install Dex.

    localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name }}" -

    Auth0

    +

    Auth0

    +

    Auth0 is a hosted SaaS IdP solution.

    1. Create a regular web application for Synapse

      @@ -371,7 +372,7 @@ to install Dex.

      display_name_template: "{{ user.name }}"

      GitHub

      -

      GitHub is a bit special as it is not an OpenID Connect compliant provider, but +

      GitHub is a bit special as it is not an OpenID Connect compliant provider, but just a regular OAuth2 provider.

      The /user API endpoint can be used to retrieve information on the authenticated user. As the Synapse @@ -400,11 +401,12 @@ does not return a sub property, an alternative subject_claim< localpart_template: "{{ user.login }}" display_name_template: "{{ user.name }}" -

      Google

      +

      Google

      +

      Google is an OpenID certified authentication and authorisation provider.

      1. Set up a project in the Google API Console (see https://developers.google.com/identity/protocols/oauth2/openid-connect#appsetup).
        2. -
      2. add an "OAuth Client ID" for a Web Application under "Credentials".
        3. +
      3. Add an "OAuth Client ID" for a Web Application under "Credentials".
      4. Copy the Client ID and Client Secret, and add the following to your synapse config: 
        oidc_providers:
   - idp_id: google
@@ -582,6 +584,54 @@ documentation on setting up SiWA.
        
       config:
         email_template: "{{ user.email }}"
        +

        Django OAuth Toolkit

        +

        django-oauth-toolkit is a +Django application providing out of the box all the endpoints, data and logic +needed to add OAuth2 capabilities to your Django projects. It supports +OpenID Connect too.

        +

        Configuration on Django's side:

        +
          +
        1. Add an application: https://example.com/admin/oauth2_provider/application/add/ and choose parameters like this:
          2. +
        +
          +
        • Redirect uris: https://synapse.example.com/_synapse/client/oidc/callback
          • +
        • Client type: Confidential
          • +
        • Authorization grant type: Authorization code
          • +
        • Algorithm: HMAC with SHA-2 256
          • +
        +
          +
        1. +

          You can customize the claims Django gives to synapse (optional):

          +
          + Code sample +
          class CustomOAuth2Validator(OAuth2Validator):
+
+    def get_additional_claims(self, request):
+        return {
+            "sub": request.user.email,
+            "email": request.user.email,
+            "first_name": request.user.first_name,
+            "last_name": request.user.last_name,
+        }
+
          +
          +
          2. +
        +

        Your synapse config is then:

        +
        oidc_providers:
+  - idp_id: django_example
+    idp_name: "Django Example"
+    issuer: "https://example.com/o/"
+    client_id: "your-client-id"  # CHANGE ME
+    client_secret: "your-client-secret"  # CHANGE ME
+    scopes: ["openid"]
+    user_profile_method: "userinfo_endpoint"  # needed because oauth-toolkit does not include user information in the authorization response
+    user_mapping_provider:
+      config:
+        localpart_template: "{{ user.email.split('@')[0] }}"
+        display_name_template: "{{ user.first_name }} {{ user.last_name }}"
+        email_template: "{{ user.email }}"
+
        -- cgit 1.5.1