diff --git a/CHANGES.md b/CHANGES.md
index 4237550818..d5e578ee3a 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,90 @@
+Synapse 1.24.0rc2 (2020-12-04)
+==============================
+
+Bugfixes
+--------
+
+- Fix a regression in v1.24.0rc1 which failed to allow SAML mapping providers which were unable to redirect users to an additional page. ([\#8878](https://github.com/matrix-org/synapse/issues/8878))
+
+
+Internal Changes
+----------------
+
+- Add support for the `prometheus_client` newer than 0.9.0. Contributed by Jordan Bancino. ([\#8875](https://github.com/matrix-org/synapse/issues/8875))
+
+
+Synapse 1.24.0rc1 (2020-12-02)
+==============================
+
+Features
+--------
+
+- Add admin API for logging in as a user. ([\#8617](https://github.com/matrix-org/synapse/issues/8617))
+- Allow specification of the SAML IdP if the metadata returns multiple IdPs. ([\#8630](https://github.com/matrix-org/synapse/issues/8630))
+- Add support for re-trying generation of a localpart for OpenID Connect mapping providers. ([\#8801](https://github.com/matrix-org/synapse/issues/8801), [\#8855](https://github.com/matrix-org/synapse/issues/8855))
+- Allow the `Date` header through CORS. Contributed by Nicolas Chamo. ([\#8804](https://github.com/matrix-org/synapse/issues/8804))
+- Add a config option, `push.group_by_unread_count`, which controls whether unread message counts in push notifications are defined as "the number of rooms with unread messages" or "total unread messages". ([\#8820](https://github.com/matrix-org/synapse/issues/8820))
+- Add `force_purge` option to delete-room admin api. ([\#8843](https://github.com/matrix-org/synapse/issues/8843))
+
+
+Bugfixes
+--------
+
+- Fix a bug where appservices may be sent an excessive amount of read receipts and presence. Broke in v1.22.0. ([\#8744](https://github.com/matrix-org/synapse/issues/8744))
+- Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body. ([\#8776](https://github.com/matrix-org/synapse/issues/8776))
+- Fix a bug where synctl could spawn duplicate copies of a worker. Contributed by Waylon Cude. ([\#8798](https://github.com/matrix-org/synapse/issues/8798))
+- Allow per-room profiles to be used for the server notice user. ([\#8799](https://github.com/matrix-org/synapse/issues/8799))
+- Fix a bug where logging could break after a call to SIGHUP. ([\#8817](https://github.com/matrix-org/synapse/issues/8817))
+- Fix `register_new_matrix_user` failing with "Bad Request" when trailing slash is included in server URL. Contributed by @angdraug. ([\#8823](https://github.com/matrix-org/synapse/issues/8823))
+- Fix a minor long-standing bug in login, where we would offer the `password` login type if a custom auth provider supported it, even if password login was disabled. ([\#8835](https://github.com/matrix-org/synapse/issues/8835))
+- Fix a long-standing bug which caused Synapse to require unspecified parameters during user-interactive authentication. ([\#8848](https://github.com/matrix-org/synapse/issues/8848))
+- Fix a bug introduced in v1.20.0 where the user-agent and IP address reported during user registration for CAS, OpenID Connect, and SAML were of the wrong form. ([\#8784](https://github.com/matrix-org/synapse/issues/8784))
+
+
+Improved Documentation
+----------------------
+
+- Clarify the usecase for a msisdn delegate. Contributed by Adrian Wannenmacher. ([\#8734](https://github.com/matrix-org/synapse/issues/8734))
+- Remove extraneous comma from JSON example in User Admin API docs. ([\#8771](https://github.com/matrix-org/synapse/issues/8771))
+- Update `turn-howto.md` with troubleshooting notes. ([\#8779](https://github.com/matrix-org/synapse/issues/8779))
+- Fix the example on how to set the `Content-Type` header in nginx for the Client Well-Known URI. ([\#8793](https://github.com/matrix-org/synapse/issues/8793))
+- Improve the documentation for the admin API to list all media in a room with respect to encrypted events. ([\#8795](https://github.com/matrix-org/synapse/issues/8795))
+- Update the formatting of the `push` section of the homeserver config file to better align with the [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format). ([\#8818](https://github.com/matrix-org/synapse/issues/8818))
+- Improve documentation how to configure prometheus for workers. ([\#8822](https://github.com/matrix-org/synapse/issues/8822))
+- Update example prometheus console. ([\#8824](https://github.com/matrix-org/synapse/issues/8824))
+
+
+Deprecations and Removals
+-------------------------
+
+- Remove old `/_matrix/client/*/admin` endpoints which were deprecated since Synapse 1.20.0. ([\#8785](https://github.com/matrix-org/synapse/issues/8785))
+- Disable pretty printing JSON responses for curl. Users who want pretty-printed output should use [jq](https://stedolan.github.io/jq/) in combination with curl. Contributed by @tulir. ([\#8833](https://github.com/matrix-org/synapse/issues/8833))
+
+
+Internal Changes
+----------------
+
+- Simplify the way the `HomeServer` object caches its internal attributes. ([\#8565](https://github.com/matrix-org/synapse/issues/8565), [\#8851](https://github.com/matrix-org/synapse/issues/8851))
+- Add an example and documentation for clock skew to the SAML2 sample configuration to allow for clock/time difference between the homserver and IdP. Contributed by @localguru. ([\#8731](https://github.com/matrix-org/synapse/issues/8731))
+- Generalise `RoomMemberHandler._locally_reject_invite` to apply to more flows than just invite. ([\#8751](https://github.com/matrix-org/synapse/issues/8751))
+- Generalise `RoomStore.maybe_store_room_on_invite` to handle other, non-invite membership events. ([\#8754](https://github.com/matrix-org/synapse/issues/8754))
+- Refactor test utilities for injecting HTTP requests. ([\#8757](https://github.com/matrix-org/synapse/issues/8757), [\#8758](https://github.com/matrix-org/synapse/issues/8758), [\#8759](https://github.com/matrix-org/synapse/issues/8759), [\#8760](https://github.com/matrix-org/synapse/issues/8760), [\#8761](https://github.com/matrix-org/synapse/issues/8761), [\#8777](https://github.com/matrix-org/synapse/issues/8777))
+- Consolidate logic between the OpenID Connect and SAML code. ([\#8765](https://github.com/matrix-org/synapse/issues/8765))
+- Use `TYPE_CHECKING` instead of magic `MYPY` variable. ([\#8770](https://github.com/matrix-org/synapse/issues/8770))
+- Add a commandline script to sign arbitrary json objects. ([\#8772](https://github.com/matrix-org/synapse/issues/8772))
+- Minor log line improvements for the SSO mapping code used to generate Matrix IDs from SSO IDs. ([\#8773](https://github.com/matrix-org/synapse/issues/8773))
+- Add additional error checking for OpenID Connect and SAML mapping providers. ([\#8774](https://github.com/matrix-org/synapse/issues/8774), [\#8800](https://github.com/matrix-org/synapse/issues/8800))
+- Add type hints to HTTP abstractions. ([\#8806](https://github.com/matrix-org/synapse/issues/8806), [\#8812](https://github.com/matrix-org/synapse/issues/8812))
+- Remove unnecessary function arguments and add typing to several membership replication classes. ([\#8809](https://github.com/matrix-org/synapse/issues/8809))
+- Optimise the lookup for an invite from another homeserver when trying to reject it. ([\#8815](https://github.com/matrix-org/synapse/issues/8815))
+- Add tests for `password_auth_provider`s. ([\#8819](https://github.com/matrix-org/synapse/issues/8819))
+- Drop redundant database index on `event_json`. ([\#8845](https://github.com/matrix-org/synapse/issues/8845))
+- Simplify `uk.half-shot.msc2778.login.application_service` login handler. ([\#8847](https://github.com/matrix-org/synapse/issues/8847))
+- Refactor `password_auth_provider` support code. ([\#8849](https://github.com/matrix-org/synapse/issues/8849))
+- Add missing `ordering` to background database updates. ([\#8850](https://github.com/matrix-org/synapse/issues/8850))
+- Allow for specifying a room version when creating a room in unit tests via `RestHelper.create_room_as`. ([\#8854](https://github.com/matrix-org/synapse/issues/8854))
+
+
Synapse 1.23.0 (2020-11-18)
===========================
diff --git a/changelog.d/8565.misc b/changelog.d/8565.misc
deleted file mode 100644
index 7bef422618..0000000000
--- a/changelog.d/8565.misc
+++ /dev/null
@@ -1 +0,0 @@
-Simplify the way the `HomeServer` object caches its internal attributes.
diff --git a/changelog.d/8617.feature b/changelog.d/8617.feature
deleted file mode 100644
index 4f1e788506..0000000000
--- a/changelog.d/8617.feature
+++ /dev/null
@@ -1 +0,0 @@
-Add admin API for logging in as a user.
diff --git a/changelog.d/8630.feature b/changelog.d/8630.feature
deleted file mode 100644
index 706051f131..0000000000
--- a/changelog.d/8630.feature
+++ /dev/null
@@ -1 +0,0 @@
-Allow specification of the SAML IdP if the metadata returns multiple IdPs.
diff --git a/changelog.d/8731.misc b/changelog.d/8731.misc
deleted file mode 100644
index df5882e960..0000000000
--- a/changelog.d/8731.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add an example and documentation for clock skew to the SAML2 sample configuration to allow for clock/time difference between the homserver and IdP. Contributed by @localguru.
diff --git a/changelog.d/8734.doc b/changelog.d/8734.doc
deleted file mode 100644
index 3bff9021c7..0000000000
--- a/changelog.d/8734.doc
+++ /dev/null
@@ -1 +0,0 @@
-Clarify the usecase for an msisdn delegate. Contributed by Adrian Wannenmacher.
diff --git a/changelog.d/8744.bugfix b/changelog.d/8744.bugfix
deleted file mode 100644
index f8f9630bd6..0000000000
--- a/changelog.d/8744.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix a bug where appservices may be sent an excessive amount of read receipts and presence. Broke in v1.22.0.
diff --git a/changelog.d/8751.misc b/changelog.d/8751.misc
deleted file mode 100644
index 204c280c0e..0000000000
--- a/changelog.d/8751.misc
+++ /dev/null
@@ -1 +0,0 @@
-Generalise `RoomMemberHandler._locally_reject_invite` to apply to more flows than just invite.
\ No newline at end of file
diff --git a/changelog.d/8754.misc b/changelog.d/8754.misc
deleted file mode 100644
index 0436bb1be7..0000000000
--- a/changelog.d/8754.misc
+++ /dev/null
@@ -1 +0,0 @@
-Generalise `RoomStore.maybe_store_room_on_invite` to handle other, non-invite membership events.
\ No newline at end of file
diff --git a/changelog.d/8757.misc b/changelog.d/8757.misc
deleted file mode 100644
index 54502e9b90..0000000000
--- a/changelog.d/8757.misc
+++ /dev/null
@@ -1 +0,0 @@
-Refactor test utilities for injecting HTTP requests.
diff --git a/changelog.d/8758.misc b/changelog.d/8758.misc
deleted file mode 100644
index 54502e9b90..0000000000
--- a/changelog.d/8758.misc
+++ /dev/null
@@ -1 +0,0 @@
-Refactor test utilities for injecting HTTP requests.
diff --git a/changelog.d/8759.misc b/changelog.d/8759.misc
deleted file mode 100644
index 54502e9b90..0000000000
--- a/changelog.d/8759.misc
+++ /dev/null
@@ -1 +0,0 @@
-Refactor test utilities for injecting HTTP requests.
diff --git a/changelog.d/8760.misc b/changelog.d/8760.misc
deleted file mode 100644
index 54502e9b90..0000000000
--- a/changelog.d/8760.misc
+++ /dev/null
@@ -1 +0,0 @@
-Refactor test utilities for injecting HTTP requests.
diff --git a/changelog.d/8761.misc b/changelog.d/8761.misc
deleted file mode 100644
index e6da7d038d..0000000000
--- a/changelog.d/8761.misc
+++ /dev/null
@@ -1 +0,0 @@
- Refactor test utilities for injecting HTTP requests.
diff --git a/changelog.d/8765.misc b/changelog.d/8765.misc
deleted file mode 100644
index 053f9acc9c..0000000000
--- a/changelog.d/8765.misc
+++ /dev/null
@@ -1 +0,0 @@
-Consolidate logic between the OpenID Connect and SAML code.
diff --git a/changelog.d/8770.misc b/changelog.d/8770.misc
deleted file mode 100644
index b5876a82f9..0000000000
--- a/changelog.d/8770.misc
+++ /dev/null
@@ -1 +0,0 @@
-Use `TYPE_CHECKING` instead of magic `MYPY` variable.
diff --git a/changelog.d/8771.doc b/changelog.d/8771.doc
deleted file mode 100644
index 297cf61e98..0000000000
--- a/changelog.d/8771.doc
+++ /dev/null
@@ -1 +0,0 @@
-Remove extraneous comma from JSON example in User Admin API docs.
\ No newline at end of file
diff --git a/changelog.d/8772.misc b/changelog.d/8772.misc
deleted file mode 100644
index d74d0a3d5d..0000000000
--- a/changelog.d/8772.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add a commandline script to sign arbitrary json objects.
diff --git a/changelog.d/8773.misc b/changelog.d/8773.misc
deleted file mode 100644
index 62778ba410..0000000000
--- a/changelog.d/8773.misc
+++ /dev/null
@@ -1 +0,0 @@
-Minor log line improvements for the SSO mapping code used to generate Matrix IDs from SSO IDs.
diff --git a/changelog.d/8774.misc b/changelog.d/8774.misc
deleted file mode 100644
index 57cca8fee5..0000000000
--- a/changelog.d/8774.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add additional error checking for OpenID Connect and SAML mapping providers.
diff --git a/changelog.d/8776.bugfix b/changelog.d/8776.bugfix
deleted file mode 100644
index dd7ebbeb86..0000000000
--- a/changelog.d/8776.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix a bug in some federation APIs which could lead to unexpected behaviour if different parameters were set in the URI and the request body.
diff --git a/changelog.d/8777.misc b/changelog.d/8777.misc
deleted file mode 100644
index e6da7d038d..0000000000
--- a/changelog.d/8777.misc
+++ /dev/null
@@ -1 +0,0 @@
- Refactor test utilities for injecting HTTP requests.
diff --git a/changelog.d/8779.doc b/changelog.d/8779.doc
deleted file mode 100644
index 3641ae7f91..0000000000
--- a/changelog.d/8779.doc
+++ /dev/null
@@ -1 +0,0 @@
-Update `turn-howto.md` with troubleshooting notes.
diff --git a/changelog.d/8784.misc b/changelog.d/8784.misc
deleted file mode 100644
index 18a4263398..0000000000
--- a/changelog.d/8784.misc
+++ /dev/null
@@ -1 +0,0 @@
-Fix a bug introduced in v1.20.0 where the user-agent and IP address reported during user registration for CAS, OpenID Connect, and SAML were of the wrong form.
diff --git a/changelog.d/8785.removal b/changelog.d/8785.removal
deleted file mode 100644
index ee8ee32598..0000000000
--- a/changelog.d/8785.removal
+++ /dev/null
@@ -1 +0,0 @@
-Remove old `/_matrix/client/*/admin` endpoints which was deprecated since Synapse 1.20.0.
\ No newline at end of file
diff --git a/changelog.d/8793.doc b/changelog.d/8793.doc
deleted file mode 100644
index f6eee1ea73..0000000000
--- a/changelog.d/8793.doc
+++ /dev/null
@@ -1 +0,0 @@
-Fix the example on how to set the `Content-Type` header in nginx for the Client Well-Known URI.
diff --git a/changelog.d/8795.doc b/changelog.d/8795.doc
deleted file mode 100644
index f97a74efb5..0000000000
--- a/changelog.d/8795.doc
+++ /dev/null
@@ -1 +0,0 @@
-Improve the documentation for the admin API to list all media in a room with respect to encrypted events.
diff --git a/changelog.d/8798.bugfix b/changelog.d/8798.bugfix
deleted file mode 100644
index 9bdb2b51ea..0000000000
--- a/changelog.d/8798.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix a bug where synctl could spawn duplicate copies of a worker. Contributed by Waylon Cude.
diff --git a/changelog.d/8799.bugfix b/changelog.d/8799.bugfix
deleted file mode 100644
index a7e6b3556d..0000000000
--- a/changelog.d/8799.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Allow per-room profiles to be used for the server notice user.
diff --git a/changelog.d/8800.misc b/changelog.d/8800.misc
deleted file mode 100644
index 57cca8fee5..0000000000
--- a/changelog.d/8800.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add additional error checking for OpenID Connect and SAML mapping providers.
diff --git a/changelog.d/8801.feature b/changelog.d/8801.feature
deleted file mode 100644
index 77f7fe4e5d..0000000000
--- a/changelog.d/8801.feature
+++ /dev/null
@@ -1 +0,0 @@
-Add support for re-trying generation of a localpart for OpenID Connect mapping providers.
diff --git a/changelog.d/8804.feature b/changelog.d/8804.feature
deleted file mode 100644
index a907c8106c..0000000000
--- a/changelog.d/8804.feature
+++ /dev/null
@@ -1 +0,0 @@
-Allow Date header through CORS. Contributed by Nicolas Chamo.
diff --git a/changelog.d/8806.misc b/changelog.d/8806.misc
deleted file mode 100644
index ee144846a5..0000000000
--- a/changelog.d/8806.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add type hints to HTTP abstractions.
diff --git a/changelog.d/8809.misc b/changelog.d/8809.misc
deleted file mode 100644
index bbf83cf18d..0000000000
--- a/changelog.d/8809.misc
+++ /dev/null
@@ -1 +0,0 @@
-Remove unnecessary function arguments and add typing to several membership replication classes.
\ No newline at end of file
diff --git a/changelog.d/8812.misc b/changelog.d/8812.misc
deleted file mode 100644
index ee144846a5..0000000000
--- a/changelog.d/8812.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add type hints to HTTP abstractions.
diff --git a/changelog.d/8815.misc b/changelog.d/8815.misc
deleted file mode 100644
index 647edeb568..0000000000
--- a/changelog.d/8815.misc
+++ /dev/null
@@ -1 +0,0 @@
-Optimise the lookup for an invite from another homeserver when trying to reject it.
\ No newline at end of file
diff --git a/changelog.d/8817.bugfix b/changelog.d/8817.bugfix
deleted file mode 100644
index e45dbd2ba4..0000000000
--- a/changelog.d/8817.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix bug where logging could break after a call to SIGHUP.
diff --git a/changelog.d/8818.doc b/changelog.d/8818.doc
deleted file mode 100644
index 571b0e3f60..0000000000
--- a/changelog.d/8818.doc
+++ /dev/null
@@ -1 +0,0 @@
-Update the formatting of the `push` section of the homeserver config file to better align with the [code style guidelines](https://github.com/matrix-org/synapse/blob/develop/docs/code_style.md#configuration-file-format).
\ No newline at end of file
diff --git a/changelog.d/8819.misc b/changelog.d/8819.misc
deleted file mode 100644
index a5793273a5..0000000000
--- a/changelog.d/8819.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add tests for `password_auth_provider`s.
diff --git a/changelog.d/8820.feature b/changelog.d/8820.feature
deleted file mode 100644
index 9e35861b11..0000000000
--- a/changelog.d/8820.feature
+++ /dev/null
@@ -1 +0,0 @@
-Add a config option, `push.group_by_unread_count`, which controls whether unread message counts in push notifications are defined as "the number of rooms with unread messages" or "total unread messages".
diff --git a/changelog.d/8822.doc b/changelog.d/8822.doc
deleted file mode 100644
index 4299245990..0000000000
--- a/changelog.d/8822.doc
+++ /dev/null
@@ -1 +0,0 @@
-Improve documentation how to configure prometheus for workers.
\ No newline at end of file
diff --git a/changelog.d/8823.bugfix b/changelog.d/8823.bugfix
deleted file mode 100644
index 74af1c20b6..0000000000
--- a/changelog.d/8823.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix `register_new_matrix_user` failing with "Bad Request" when trailing slash is included in server URL. Contributed by @angdraug.
diff --git a/changelog.d/8824.doc b/changelog.d/8824.doc
deleted file mode 100644
index 683b436328..0000000000
--- a/changelog.d/8824.doc
+++ /dev/null
@@ -1 +0,0 @@
-Update example prometheus console.
\ No newline at end of file
diff --git a/changelog.d/8833.removal b/changelog.d/8833.removal
deleted file mode 100644
index 5c2d195f94..0000000000
--- a/changelog.d/8833.removal
+++ /dev/null
@@ -1 +0,0 @@
-Disable pretty printing JSON responses for curl. Users who want pretty-printed output should use [jq](https://stedolan.github.io/jq/) in combination with curl. Contributed by @tulir.
diff --git a/changelog.d/8835.bugfix b/changelog.d/8835.bugfix
deleted file mode 100644
index 446d04aa55..0000000000
--- a/changelog.d/8835.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix minor long-standing bug in login, where we would offer the `password` login type if a custom auth provider supported it, even if password login was disabled.
diff --git a/changelog.d/8843.feature b/changelog.d/8843.feature
deleted file mode 100644
index 824d46d5aa..0000000000
--- a/changelog.d/8843.feature
+++ /dev/null
@@ -1 +0,0 @@
-Add `force_purge` option to delete-room admin api.
diff --git a/changelog.d/8845.misc b/changelog.d/8845.misc
deleted file mode 100644
index 7db1c31520..0000000000
--- a/changelog.d/8845.misc
+++ /dev/null
@@ -1 +0,0 @@
-Drop redundant database index on `event_json`.
diff --git a/changelog.d/8847.misc b/changelog.d/8847.misc
deleted file mode 100644
index 5028997b04..0000000000
--- a/changelog.d/8847.misc
+++ /dev/null
@@ -1 +0,0 @@
-Simplify `uk.half-shot.msc2778.login.application_service` login handler.
diff --git a/changelog.d/8848.bugfix b/changelog.d/8848.bugfix
deleted file mode 100644
index 499e66f05b..0000000000
--- a/changelog.d/8848.bugfix
+++ /dev/null
@@ -1 +0,0 @@
-Fix a long-standing bug which caused Synapse to require unspecified parameters during user-interactive authentication.
diff --git a/changelog.d/8849.misc b/changelog.d/8849.misc
deleted file mode 100644
index 3dd496ce61..0000000000
--- a/changelog.d/8849.misc
+++ /dev/null
@@ -1 +0,0 @@
-Refactor `password_auth_provider` support code.
diff --git a/changelog.d/8850.misc b/changelog.d/8850.misc
deleted file mode 100644
index 4b54b8dd87..0000000000
--- a/changelog.d/8850.misc
+++ /dev/null
@@ -1 +0,0 @@
-Add missing `ordering` to background database updates.
diff --git a/changelog.d/8851.misc b/changelog.d/8851.misc
deleted file mode 100644
index 7bef422618..0000000000
--- a/changelog.d/8851.misc
+++ /dev/null
@@ -1 +0,0 @@
-Simplify the way the `HomeServer` object caches its internal attributes.
diff --git a/changelog.d/8854.misc b/changelog.d/8854.misc
deleted file mode 100644
index 5895df2d5c..0000000000
--- a/changelog.d/8854.misc
+++ /dev/null
@@ -1 +0,0 @@
-Allow for specifying a room version when creating a room in unit tests via `RestHelper.create_room_as`.
\ No newline at end of file
diff --git a/changelog.d/8855.feature b/changelog.d/8855.feature
deleted file mode 100644
index 77f7fe4e5d..0000000000
--- a/changelog.d/8855.feature
+++ /dev/null
@@ -1 +0,0 @@
-Add support for re-trying generation of a localpart for OpenID Connect mapping providers.
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 791cd6936b..afd896ffc1 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -37,7 +37,7 @@ RUN pip install --prefix="/install" --no-warn-script-location \
jaeger-client \
opentracing \
# Match the version constraints of Synapse
- "prometheus_client>=0.4.0,<0.9.0" \
+ "prometheus_client>=0.4.0" \
psycopg2 \
pycparser \
pyrsistent \
diff --git a/docs/sso_mapping_providers.md b/docs/sso_mapping_providers.md
index dee53b5d40..ab2a648910 100644
--- a/docs/sso_mapping_providers.md
+++ b/docs/sso_mapping_providers.md
@@ -168,6 +168,13 @@ A custom mapping provider must specify the following methods:
the value of `mxid_localpart`.
* `emails` - A list of emails for the new user. If not provided, will
default to an empty list.
+
+ Alternatively it can raise a `synapse.api.errors.RedirectException` to
+ redirect the user to another page. This is useful to prompt the user for
+ additional information, e.g. if you want them to provide their own username.
+ It is the responsibility of the mapping provider to either redirect back
+ to `client_redirect_url` (including any additional information) or to
+ complete registration using methods from the `ModuleApi`.
### Default SAML Mapping Provider
diff --git a/synapse/__init__.py b/synapse/__init__.py
index 65c1f5aa3f..2e354f2cc6 100644
--- a/synapse/__init__.py
+++ b/synapse/__init__.py
@@ -48,7 +48,7 @@ try:
except ImportError:
pass
-__version__ = "1.23.0"
+__version__ = "1.24.0rc2"
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
# We import here so that we don't have to install a bunch of deps when
diff --git a/synapse/handlers/oidc_handler.py b/synapse/handlers/oidc_handler.py
index 55c4377890..c605f7082a 100644
--- a/synapse/handlers/oidc_handler.py
+++ b/synapse/handlers/oidc_handler.py
@@ -888,7 +888,7 @@ class OidcHandler(BaseHandler):
# continue to already be in use. Note that the error raised is
# arbitrary and will get turned into a MappingException.
if failures:
- raise RuntimeError(
+ raise MappingException(
"Mapping provider does not support de-duplicating Matrix IDs"
)
diff --git a/synapse/handlers/sso.py b/synapse/handlers/sso.py
index f42b90e1bc..47ad96f97e 100644
--- a/synapse/handlers/sso.py
+++ b/synapse/handlers/sso.py
@@ -17,6 +17,7 @@ from typing import TYPE_CHECKING, Awaitable, Callable, List, Optional
import attr
+from synapse.api.errors import RedirectException
from synapse.handlers._base import BaseHandler
from synapse.http.server import respond_with_html
from synapse.types import UserID, contains_invalid_mxid_characters
@@ -28,7 +29,9 @@ logger = logging.getLogger(__name__)
class MappingException(Exception):
- """Used to catch errors when mapping the UserInfo object
+ """Used to catch errors when mapping an SSO response to user attributes.
+
+ Note that the msg that is raised is shown to end-users.
"""
@@ -145,6 +148,14 @@ class SsoHandler(BaseHandler):
sso_to_matrix_id_mapper: A callable to generate the user attributes.
The only parameter is an integer which represents the amount of
times the returned mxid localpart mapping has failed.
+
+ It is expected that the mapper can raise two exceptions, which
+ will get passed through to the caller:
+
+ MappingException if there was a problem mapping the response
+ to the user.
+ RedirectException to redirect to an additional page (e.g.
+ to prompt the user for more information).
grandfather_existing_users: A callable which can return an previously
existing matrix ID. The SSO ID is then linked to the returned
matrix ID.
@@ -154,8 +165,8 @@ class SsoHandler(BaseHandler):
Raises:
MappingException if there was a problem mapping the response to a user.
- RedirectException: some mapping providers may raise this if they need
- to redirect to an interstitial page.
+ RedirectException: if the mapping provider needs to redirect the user
+ to an additional page. (e.g. to prompt for more information)
"""
# first of all, check if we already have a mapping for this user
@@ -179,10 +190,16 @@ class SsoHandler(BaseHandler):
for i in range(self._MAP_USERNAME_RETRIES):
try:
attributes = await sso_to_matrix_id_mapper(i)
+ except (RedirectException, MappingException):
+ # Mapping providers are allowed to issue a redirect (e.g. to ask
+ # the user for more information) and can issue a mapping exception
+ # if a name cannot be generated.
+ raise
except Exception as e:
+ # Any other exception is unexpected.
raise MappingException(
- "Could not extract user attributes from SSO response: " + str(e)
- )
+ "Could not extract user attributes from SSO response."
+ ) from e
logger.debug(
"Retrieved user attributes from user mapping provider: %r (attempt %d)",
diff --git a/synapse/python_dependencies.py b/synapse/python_dependencies.py
index aab77fc453..c899ca14d3 100644
--- a/synapse/python_dependencies.py
+++ b/synapse/python_dependencies.py
@@ -40,6 +40,10 @@ logger = logging.getLogger(__name__)
# Note that these both represent runtime dependencies (and the versions
# installed are checked at runtime).
#
+# Also note that we replicate these constraints in the Synapse Dockerfile while
+# pre-installing dependencies. If these constraints are updated here, the same
+# change should be made in the Dockerfile.
+#
# [1] https://pip.pypa.io/en/stable/reference/pip_install/#requirement-specifiers.
REQUIREMENTS = [
@@ -69,14 +73,7 @@ REQUIREMENTS = [
"msgpack>=0.5.2",
"phonenumbers>=8.2.0",
# we use GaugeHistogramMetric, which was added in prom-client 0.4.0.
- # prom-client has a history of breaking backwards compatibility between
- # minor versions (https://github.com/prometheus/client_python/issues/317),
- # so we also pin the minor version.
- #
- # Note that we replicate these constraints in the Synapse Dockerfile while
- # pre-installing dependencies. If these constraints are updated here, the
- # same change should be made in the Dockerfile.
- "prometheus_client>=0.4.0,<0.9.0",
+ "prometheus_client>=0.4.0",
# we use attr.validators.deep_iterable, which arrived in 19.1.0 (Note:
# Fedora 31 only has 19.1, so if we want to upgrade we should wait until 33
# is out in November.)
diff --git a/tests/handlers/test_oidc.py b/tests/handlers/test_oidc.py
index d485af52fd..a308c46da9 100644
--- a/tests/handlers/test_oidc.py
+++ b/tests/handlers/test_oidc.py
@@ -705,8 +705,7 @@ class OidcHandlerTestCase(HomeserverTestCase):
MappingException,
)
self.assertEqual(
- str(e.value),
- "Could not extract user attributes from SSO response: Mapping provider does not support de-duplicating Matrix IDs",
+ str(e.value), "Mapping provider does not support de-duplicating Matrix IDs",
)
@override_config({"oidc_config": {"allow_existing_users": True}})
diff --git a/tests/handlers/test_saml.py b/tests/handlers/test_saml.py
index e1e13a5faf..45dc17aba5 100644
--- a/tests/handlers/test_saml.py
+++ b/tests/handlers/test_saml.py
@@ -14,6 +14,7 @@
import attr
+from synapse.api.errors import RedirectException
from synapse.handlers.sso import MappingException
from tests.unittest import HomeserverTestCase, override_config
@@ -49,6 +50,13 @@ class TestMappingProvider:
return {"mxid_localpart": localpart, "displayname": None}
+class TestRedirectMappingProvider(TestMappingProvider):
+ def saml_response_to_user_attributes(
+ self, saml_response, failures, client_redirect_url
+ ):
+ raise RedirectException(b"https://custom-saml-redirect/")
+
+
class SamlHandlerTestCase(HomeserverTestCase):
def default_config(self):
config = super().default_config()
@@ -166,3 +174,23 @@ class SamlHandlerTestCase(HomeserverTestCase):
self.assertEqual(
str(e.value), "Unable to generate a Matrix ID from the SSO response"
)
+
+ @override_config(
+ {
+ "saml2_config": {
+ "user_mapping_provider": {
+ "module": __name__ + ".TestRedirectMappingProvider"
+ },
+ }
+ }
+ )
+ def test_map_saml_response_redirect(self):
+ saml_response = FakeAuthnResponse({"uid": "test", "username": "test_user"})
+ redirect_url = ""
+ e = self.get_failure(
+ self.handler._map_saml_response_to_user(
+ saml_response, redirect_url, "user-agent", "10.10.10.10"
+ ),
+ RedirectException,
+ )
+ self.assertEqual(e.value.location, b"https://custom-saml-redirect/")
|
