diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py
index b9c40522d8..98e8cd8b5a 100644
--- a/synapse/config/oidc.py
+++ b/synapse/config/oidc.py
@@ -66,203 +66,6 @@ class OIDCConfig(Config):
# OIDC is enabled if we have a provider
return bool(self.oidc_providers)
- def generate_config_section(self, **kwargs: Any) -> str:
- return """\
- # List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
- # and login.
- #
- # Options for each entry include:
- #
- # idp_id: a unique identifier for this identity provider. Used internally
- # by Synapse; should be a single word such as 'github'.
- #
- # Note that, if this is changed, users authenticating via that provider
- # will no longer be recognised as the same user!
- #
- # (Use "oidc" here if you are migrating from an old "oidc_config"
- # configuration.)
- #
- # idp_name: A user-facing name for this identity provider, which is used to
- # offer the user a choice of login mechanisms.
- #
- # idp_icon: An optional icon for this identity provider, which is presented
- # by clients and Synapse's own IdP picker page. If given, must be an
- # MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
- # obtain such an MXC URI is to upload an image to an (unencrypted) room
- # and then copy the "url" from the source of the event.)
- #
- # idp_brand: An optional brand for this identity provider, allowing clients
- # to style the login flow according to the identity provider in question.
- # See the spec for possible options here.
- #
- # discover: set to 'false' to disable the use of the OIDC discovery mechanism
- # to discover endpoints. Defaults to true.
- #
- # issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
- # is enabled) to discover the provider's endpoints.
- #
- # client_id: Required. oauth2 client id to use.
- #
- # client_secret: oauth2 client secret to use. May be omitted if
- # client_secret_jwt_key is given, or if client_auth_method is 'none'.
- #
- # client_secret_jwt_key: Alternative to client_secret: details of a key used
- # to create a JSON Web Token to be used as an OAuth2 client secret. If
- # given, must be a dictionary with the following properties:
- #
- # key: a pem-encoded signing key. Must be a suitable key for the
- # algorithm specified. Required unless 'key_file' is given.
- #
- # key_file: the path to file containing a pem-encoded signing key file.
- # Required unless 'key' is given.
- #
- # jwt_header: a dictionary giving properties to include in the JWT
- # header. Must include the key 'alg', giving the algorithm used to
- # sign the JWT, such as "ES256", using the JWA identifiers in
- # RFC7518.
- #
- # jwt_payload: an optional dictionary giving properties to include in
- # the JWT payload. Normally this should include an 'iss' key.
- #
- # client_auth_method: auth method to use when exchanging the token. Valid
- # values are 'client_secret_basic' (default), 'client_secret_post' and
- # 'none'.
- #
- # scopes: list of scopes to request. This should normally include the "openid"
- # scope. Defaults to ["openid"].
- #
- # authorization_endpoint: the oauth2 authorization endpoint. Required if
- # provider discovery is disabled.
- #
- # token_endpoint: the oauth2 token endpoint. Required if provider discovery is
- # disabled.
- #
- # userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
- # disabled and the 'openid' scope is not requested.
- #
- # jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
- # the 'openid' scope is used.
- #
- # skip_verification: set to 'true' to skip metadata verification. Use this if
- # you are connecting to a provider that is not OpenID Connect compliant.
- # Defaults to false. Avoid this in production.
- #
- # user_profile_method: Whether to fetch the user profile from the userinfo
- # endpoint, or to rely on the data returned in the id_token from the
- # token_endpoint.
- #
- # Valid values are: 'auto' or 'userinfo_endpoint'.
- #
- # Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
- # not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
- # userinfo endpoint.
- #
- # allow_existing_users: set to 'true' to allow a user logging in via OIDC to
- # match a pre-existing account instead of failing. This could be used if
- # switching from password logins to OIDC. Defaults to false.
- #
- # user_mapping_provider: Configuration for how attributes returned from a OIDC
- # provider are mapped onto a matrix user. This setting has the following
- # sub-properties:
- #
- # module: The class name of a custom mapping module. Default is
- # {mapping_provider!r}.
- # See https://matrix-org.github.io/synapse/latest/sso_mapping_providers.html#openid-mapping-providers
- # for information on implementing a custom mapping provider.
- #
- # config: Configuration for the mapping provider module. This section will
- # be passed as a Python dictionary to the user mapping provider
- # module's `parse_config` method.
- #
- # For the default provider, the following settings are available:
- #
- # subject_claim: name of the claim containing a unique identifier
- # for the user. Defaults to 'sub', which OpenID Connect
- # compliant providers should provide.
- #
- # localpart_template: Jinja2 template for the localpart of the MXID.
- # If this is not set, the user will be prompted to choose their
- # own username (see the documentation for the
- # 'sso_auth_account_details.html' template). This template can
- # use the 'localpart_from_email' filter.
- #
- # confirm_localpart: Whether to prompt the user to validate (or
- # change) the generated localpart (see the documentation for the
- # 'sso_auth_account_details.html' template), instead of
- # registering the account right away.
- #
- # display_name_template: Jinja2 template for the display name to set
- # on first login. If unset, no displayname will be set.
- #
- # email_template: Jinja2 template for the email address of the user.
- # If unset, no email address will be added to the account.
- #
- # extra_attributes: a map of Jinja2 templates for extra attributes
- # to send back to the client during login.
- # Note that these are non-standard and clients will ignore them
- # without modifications.
- #
- # When rendering, the Jinja2 templates are given a 'user' variable,
- # which is set to the claims returned by the UserInfo Endpoint and/or
- # in the ID Token.
- #
- # It is possible to configure Synapse to only allow logins if certain attributes
- # match particular values in the OIDC userinfo. The requirements can be listed under
- # `attribute_requirements` as shown below. All of the listed attributes must
- # match for the login to be permitted. Additional attributes can be added to
- # userinfo by expanding the `scopes` section of the OIDC config to retrieve
- # additional information from the OIDC provider.
- #
- # If the OIDC claim is a list, then the attribute must match any value in the list.
- # Otherwise, it must exactly match the value of the claim. Using the example
- # below, the `family_name` claim MUST be "Stephensson", but the `groups`
- # claim MUST contain "admin".
- #
- # attribute_requirements:
- # - attribute: family_name
- # value: "Stephensson"
- # - attribute: groups
- # value: "admin"
- #
- # See https://matrix-org.github.io/synapse/latest/openid.html
- # for information on how to configure these options.
- #
- # For backwards compatibility, it is also possible to configure a single OIDC
- # provider via an 'oidc_config' setting. This is now deprecated and admins are
- # advised to migrate to the 'oidc_providers' format. (When doing that migration,
- # use 'oidc' for the idp_id to ensure that existing users continue to be
- # recognised.)
- #
- oidc_providers:
- # Generic example
- #
- #- idp_id: my_idp
- # idp_name: "My OpenID provider"
- # idp_icon: "mxc://example.com/mediaid"
- # discover: false
- # issuer: "https://accounts.example.com/"
- # client_id: "provided-by-your-issuer"
- # client_secret: "provided-by-your-issuer"
- # client_auth_method: client_secret_post
- # scopes: ["openid", "profile"]
- # authorization_endpoint: "https://accounts.example.com/oauth2/auth"
- # token_endpoint: "https://accounts.example.com/oauth2/token"
- # userinfo_endpoint: "https://accounts.example.com/userinfo"
- # jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
- # skip_verification: true
- # user_mapping_provider:
- # config:
- # subject_claim: "id"
- # localpart_template: "{{{{ user.login }}}}"
- # display_name_template: "{{{{ user.name }}}}"
- # email_template: "{{{{ user.email }}}}"
- # attribute_requirements:
- # - attribute: userGroup
- # value: "synapseUsers"
- """.format(
- mapping_provider=DEFAULT_USER_MAPPING_PROVIDER
- )
-
# jsonschema definition of the configuration settings for an oidc identity provider
OIDC_PROVIDER_CONFIG_SCHEMA = {
|
