summary refs log tree commit diff
path: root/synapse/config/oidc_config.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Update the OIDC sample config (#9695)Richard van der Hoff2021-03-291-31/+3
| | | | | | | I've reiterated the advice about using `oidc` to migrate, since I've seen a few people caught by this. I've also removed a couple of the examples as they are duplicating the OIDC documentation, and I think they might be leading people astray.
* Enable flake8-bugbear, but disable most checks. (#9499)Jonathan de Jong2021-03-161-1/+3
| | | | * Adds B00 to ignored checks. * Fixes remaining issues.
* Add SSO attribute requirements for OIDC providers (#9609)Hubbe2021-03-161-1/+39
| | | | Allows limiting who can login using OIDC via the claims made from the IdP.
* Add support for stable MSC2858 API (#9617)Richard van der Hoff2021-03-161-2/+11
| | | | | The stable format uses different brand identifiers, so we need to support two identifiers for each IdP.
* JWT OIDC secrets for Sign in with Apple (#9549)Richard van der Hoff2021-03-091-7/+82
| | | | | Apple had to be special. They want a client secret which is generated from an EC key. Fixes #9220. Also fixes #9212 while I'm here.
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-161-4/+9
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Merge tag 'v1.27.0rc2' into developPatrick Cloke2021-02-111-1/+4
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Synapse 1.27.0rc2 (2021-02-11) ============================== Features -------- - Further improvements to the user experience of registration via single sign-on. ([\#9297](https://github.com/matrix-org/synapse/issues/9297)) Bugfixes -------- - Fix ratelimiting introduced in v1.27.0rc1 for invites to respect the `ratelimit` flag on application services. ([\#9302](https://github.com/matrix-org/synapse/issues/9302)) - Do not automatically calculate `public_baseurl` since it can be wrong in some situations. Reverts behaviour introduced in v1.26.0. ([\#9313](https://github.com/matrix-org/synapse/issues/9313)) Improved Documentation ---------------------- - Clarify the sample configuration for changes made to the template loading code. ([\#9310](https://github.com/matrix-org/synapse/issues/9310))
| * Backout changes for automatically calculating the public baseurl. (#9313)Patrick Cloke2021-02-111-1/+4
| | | | | | | | This breaks some people's configurations (if their Client-Server API is not accessed via port 443).
* | Fix escaping of braces in OIDC sample config. (#9317)Patrick Cloke2021-02-041-5/+5
|/ | | This fixes the Jinja2 templates for the mapping provider.
* Put OIDC callback URI under /_synapse/client. (#9288)Richard van der Hoff2021-02-011-1/+1
|
* Merge branch 'social_login' into developRichard van der Hoff2021-02-011-1/+2
|\
| * Replace username picker with a template (#9275)Richard van der Hoff2021-02-011-1/+2
| | | | | | | | | | There's some prelimiary work here to pull out the construction of a jinja environment to a separate function. I wanted to load the template at display time rather than load time, so that it's easy to update on the fly. Honestly, I think we should do this with all our templates: the risk of ending up with malformed templates is far outweighed by the improved turnaround time for an admin trying to update them.
* | Merge branch 'social_login' into developRichard van der Hoff2021-01-281-28/+39
|\|
| * Add 'brand' field to MSC2858 response (#9242)Richard van der Hoff2021-01-271-25/+27
| | | | | | | | | | | | We've decided to add a 'brand' field to help clients decide how to style the buttons. Also, fix up the allowed characters for idp_id, while I'm in the area.
| * Support for scraping email addresses from OIDC providers (#9245)Richard van der Hoff2021-01-271-3/+12
| |
* | Do not require the CAS service URL setting (use public_baseurl instead). (#9199)Patrick Cloke2021-01-261-2/+1
|/ | | | The current configuration is handled for backwards compatibility, but is considered deprecated.
* Add a check for duplicate IdP ids (#9184)Richard van der Hoff2021-01-211-0/+11
|
* Prefix idp_id with "oidc-" (#9189)Richard van der Hoff2021-01-211-4/+24
| | | ... to avoid clashes with other SSO mechanisms
* Tighten the restrictions on `idp_id` (#9177)Richard van der Hoff2021-01-201-3/+9
|
* Support icons for Identity Providers (#9154)Richard van der Hoff2021-01-201-0/+20
|
* Give `public_baseurl` a default value (#9159)Richard van der Hoff2021-01-201-2/+0
|
* Fix error messages from OIDC config parsing (#9153)Richard van der Hoff2021-01-191-10/+15
| | | | Make sure we report the correct config path for errors in the OIDC configs.
* Land support for multiple OIDC providers (#9110)Richard van der Hoff2021-01-151-142/+187
| | | | | | | | | | | | | | | | | | | | | | | This is the final step for supporting multiple OIDC providers concurrently. First of all, we reorganise the config so that you can specify a list of OIDC providers, instead of a single one. Before: oidc_config: enabled: true issuer: "https://oidc_provider" # etc After: oidc_providers: - idp_id: prov1 issuer: "https://oidc_provider" - idp_id: prov2 issuer: "https://another_oidc_provider" The old format is still grandfathered in. With that done, it's then simply a matter of having OidcHandler instantiate a new OidcProvider for each configured provider.
* Store an IdP ID in the OIDC session (#9109)Richard van der Hoff2021-01-151-3/+23
| | | | | Again in preparation for handling more than one OIDC provider, add a new caveat to the macaroon used as an OIDC session cookie, which remembers which OIDC provider we are talking to. In future, when we get a callback, we'll need it to make sure we talk to the right IdP. As part of this, I'm adding an idp_id and idp_name field to the OIDC configuration object. They aren't yet documented, and we'll just use the old values by default.
* Add jsonschema verification for the oidc provider configRichard van der Hoff2021-01-131-0/+50
|
* Extract OIDCProviderConfig objectRichard van der Hoff2021-01-131-45/+120
| | | | | Collect all the config options which related to an OIDC provider into a single object.
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-2/+3
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Better formatting for config errors from modules (#8874)Richard van der Hoff2020-12-081-1/+1
| | | | | | | | | | The idea is that the parse_config method of extension modules can raise either a ConfigError or a JsonValidationError, and it will be magically turned into a legible error message. There's a few components to it: * Separating the "path" and the "message" parts of a ConfigError, so that we can fiddle with the path bit to turn it into an absolute path. * Generally improving the way ConfigErrors get printed. * Passing in the config path to load_module so that it can wrap any exceptions that get caught appropriately.
* Improve the sample config for SSO (OIDC, SAML, and CAS). (#8635)Patrick Cloke2020-10-301-4/+3
|
* Add config option for always using "userinfo endpoint" for OIDC (#7658)BBBSnowball2020-10-011-0/+9
| | | This allows for connecting to certain IdPs, e.g. GitLab.
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-301-0/+8
|
* Allow existing users to login via OpenID Connect. (#8345)Tdxdxoz2020-09-251-0/+6
| | | | | | | Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
* fix broken link in sample config (#7712)Richard van der Hoff2020-06-161-1/+1
|
* Cleanups to the OpenID Connect integration (#7628)Richard van der Hoff2020-06-031-75/+101
| | | | docs, default configs, comments. Nothing very significant.
* Fix sample config docs error (#7581)Jason Robinson2020-05-271-1/+1
| | | | | | 'client_auth_method' commented out value was erronously 'client_auth_basic', when code and docstring says it should be 'client_secret_basic'. Signed-off-by: Jason Robinson <jasonr@matrix.org>
* Implement OpenID Connect-based login (#7256)Quentin Gliech2020-05-081-0/+177