diff options
| author | richvdh <richvdh@users.noreply.github.com> | 2022-01-17 12:35:28 +0000 |
|---|---|---|
| committer | richvdh <richvdh@users.noreply.github.com> | 2022-01-17 12:35:28 +0000 |
| commit | 2f8c31c0f6ac0a95b6be3e64eb4b354ae1b2ed98 (patch) | |
| tree | 6e0757b553c52276503bf04adeef631d83cc5afa /develop/print.html | |
| parent | deploy: 18862f20b5495bdc556c54e92fd4b1efdc718ba7 (diff) | |
| download | synapse-2f8c31c0f6ac0a95b6be3e64eb4b354ae1b2ed98.tar.xz | |
deploy: b0352f9c08a16bf6c2abf4eeb014774f59e69458
Diffstat (limited to 'develop/print.html')
| -rw-r--r-- | develop/print.html | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/develop/print.html b/develop/print.html index bcaeb547d8..f468deca33 100644 --- a/develop/print.html +++ b/develop/print.html @@ -4991,10 +4991,13 @@ saml2_config: # Defaults to false. Avoid this in production. # # user_profile_method: Whether to fetch the user profile from the userinfo -# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. +# endpoint, or to rely on the data returned in the id_token from the +# token_endpoint. # -# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is -# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the +# Valid values are: 'auto' or 'userinfo_endpoint'. +# +# Defaults to 'auto', which uses the userinfo endpoint if 'openid' is +# not included in 'scopes'. Set to 'userinfo_endpoint' to always use the # userinfo endpoint. # # allow_existing_users: set to 'true' to allow a user logging in via OIDC to @@ -6681,8 +6684,6 @@ https://developers.google.com/identity/protocols/oauth2/openid-connect#appsetup) display_name_template: '{{ user.name }}' </code></pre> <h3 id="facebook"><a class="header" href="#facebook">Facebook</a></h3> -<p>Like Github, Facebook provide a custom OAuth2 API rather than an OIDC-compliant -one so requires a little more configuration.</p> <ol start="0"> <li>You will need a Facebook developer account. You can register for one <a href="https://developers.facebook.com/async/registration/">here</a>.</li> @@ -6704,25 +6705,28 @@ and "App Secret" for use below.</li> idp_name: Facebook idp_brand: "facebook" # optional: styling hint for clients discover: false - issuer: "https://facebook.com" + issuer: "https://www.facebook.com" client_id: "your-client-id" # TO BE FILLED client_secret: "your-client-secret" # TO BE FILLED scopes: ["openid", "email"] - authorization_endpoint: https://facebook.com/dialog/oauth - token_endpoint: https://graph.facebook.com/v9.0/oauth/access_token - user_profile_method: "userinfo_endpoint" - userinfo_endpoint: "https://graph.facebook.com/v9.0/me?fields=id,name,email,picture" + authorization_endpoint: "https://facebook.com/dialog/oauth" + token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token" + jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/" user_mapping_provider: config: - subject_claim: "id" display_name_template: "{{ user.name }}" + email_template: "{{ '{{ user.email }}' }}" </code></pre> <p>Relevant documents:</p> <ul> -<li>https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow</li> -<li>Using Facebook's Graph API: https://developers.facebook.com/docs/graph-api/using-graph-api/</li> -<li>Reference to the User endpoint: https://developers.facebook.com/docs/graph-api/reference/user</li> +<li><a href="https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow">Manually Build a Login Flow</a></li> +<li><a href="https://developers.facebook.com/docs/graph-api/using-graph-api/">Using Facebook's Graph API</a></li> +<li><a href="https://developers.facebook.com/docs/graph-api/reference/user">Reference to the User endpoint</a></li> </ul> +<p>Facebook do have an <a href="https://www.facebook.com/.well-known/openid-configuration">OIDC discovery endpoint</a>, +but it has a <code>response_types_supported</code> which excludes "code" (which we rely on, and +is even mentioned in their <a href="https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login">documentation</a>), +so we have to disable discovery and configure the URIs manually.</p> <h3 id="gitea"><a class="header" href="#gitea">Gitea</a></h3> <p>Gitea is, like Github, not an OpenID provider, but just an OAuth2 provider.</p> <p>The <a href="https://try.gitea.io/api/swagger#/user/userGetCurrent"><code>/user</code> API endpoint</a> |