Add config option for always using "userinfo endpoint" for OIDC (#7658)

This allows for connecting to certain IdPs, e.g. GitLab.
author: BBBSnowball <bbbsnowball@gmail.com> 2020-10-01 19:54:35 +0200
committer: GitHub <noreply@github.com> 2020-10-01 13:54:35 -0400
commit: 05ee048f2c9ce0bb8a7d2430b21ca3682ef5858b (patch)
tree: 87485cf6c0e87b270db93ff00e6eeda9c2b3236c /docs
parent: Merge tag 'v1.21.0rc1' into develop (diff)
download: synapse-05ee048f2c9ce0bb8a7d2430b21ca3682ef5858b.tar.xz
2 files changed, 40 insertions, 9 deletions
diff --git a/docs/openid.md b/docs/openid.md
index 70b37f858b..4873681999 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -238,13 +238,36 @@ Synapse config:
 
 ```yaml
 oidc_config:
-   enabled: true
-   issuer: "https://id.twitch.tv/oauth2/"
-   client_id: "your-client-id" # TO BE FILLED
-   client_secret: "your-client-secret" # TO BE FILLED
-   client_auth_method: "client_secret_post"
-   user_mapping_provider:
-     config:
-       localpart_template: '{{ user.preferred_username }}'
-       display_name_template: '{{ user.name }}'
+  enabled: true
+  issuer: "https://id.twitch.tv/oauth2/"
+  client_id: "your-client-id" # TO BE FILLED
+  client_secret: "your-client-secret" # TO BE FILLED
+  client_auth_method: "client_secret_post"
+  user_mapping_provider:
+    config:
+      localpart_template: "{{ user.preferred_username }}"
+      display_name_template: "{{ user.name }}"
+```
+
+### GitLab
+
+1. Create a [new application](https://gitlab.com/profile/applications).
+2. Add the `read_user` and `openid` scopes.
+3. Add this Callback URL: `[synapse public baseurl]/_synapse/oidc/callback`
+
+Synapse config:
+
+```yaml
+oidc_config:
+  enabled: true
+  issuer: "https://gitlab.com/"
+  client_id: "your-client-id" # TO BE FILLED
+  client_secret: "your-client-secret" # TO BE FILLED
+  client_auth_method: "client_secret_post"
+  scopes: ["openid", "read_user"]
+  user_profile_method: "userinfo_endpoint"
+  user_mapping_provider:
+    config:
+      localpart_template: '{{ user.nickname }}'
+      display_name_template: '{{ user.name }}'
 ```
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
index 8a3206e845..b2c1d7a737 100644
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@@ -1714,6 +1714,14 @@ oidc_config:
   #
   #skip_verification: true
 
+  # Whether to fetch the user profile from the userinfo endpoint. Valid
+  # values are: "auto" or "userinfo_endpoint".
+  #
+  # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included
+  # in `scopes`. Uncomment the following to always fetch the userinfo endpoint.
+  #
+  #user_profile_method: "userinfo_endpoint"
+
   # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead
   # of failing. This could be used if switching from password logins to OIDC. Defaults to false.
   #
author	BBBSnowball <bbbsnowball@gmail.com>	2020-10-01 19:54:35 +0200
committer	GitHub <noreply@github.com>	2020-10-01 13:54:35 -0400
commit	05ee048f2c9ce0bb8a7d2430b21ca3682ef5858b (patch)
tree	87485cf6c0e87b270db93ff00e6eeda9c2b3236c /docs
parent	Merge tag 'v1.21.0rc1' into develop (diff)
download	synapse-05ee048f2c9ce0bb8a7d2430b21ca3682ef5858b.tar.xz