summary refs log tree commit diff
path: root/synapse/handlers/oidc.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add support for handling avatar with SSO login (#13917)Ashish Kumar2022-11-251-0/+7
| | | | | | | | This commit adds support for handling a provided avatar picture URL when logging in via SSO. Signed-off-by: Ashish Kumar <ashfame@users.noreply.github.com> Fixes #9357.
* Remove redundant types from comments. (#14412)Patrick Cloke2022-11-161-1/+1
| | | | | | | Remove type hints from comments which have been added as Python type hints. This helps avoid drift between comments and reality, as well as removing redundant information. Also adds some missing type hints which were simple to fill in.
* Support OIDC backchannel logouts (#11414)Quentin Gliech2022-10-311-36/+345
| | | | | | | If configured an OIDC IdP can log a user's session out of Synapse when they log out of the identity provider. The IdP sends a request directly to Synapse (and must be configured with an endpoint) when a user logs out.
* Refactor OIDC tests to better mimic an actual OIDC provider. (#13910)Quentin Gliech2022-10-251-4/+11
| | | | | | | | | This implements a fake OIDC server, which intercepts calls to the HTTP client. Improves accuracy of tests by covering more internal methods. One particular example was the ID token validation, which previously mocked. This uncovered an incorrect dependency: Synapse actually requires at least authlib 0.15.1, not 0.14.0.
* Move the "email unsubscribe" resource, refactor the macaroon generator & ↵Quentin Gliech2022-06-141-123/+8
| | | | | | | | | | | | | | | | | | | | | simplify the access token verification logic. (#12986) This simplifies the access token verification logic by removing the `rights` parameter which was only ever used for the unsubscribe link in email notifications. The latter has been moved under the `/_synapse` namespace, since it is not a standard API. This also makes the email verification link more secure, by embedding the app_id and pushkey in the macaroon and verifying it. This prevents the user from tampering the query parameters of that unsubscribe link. Macaroon generation is refactored: - Centralised all macaroon generation and verification logic to the `MacaroonGenerator` - Moved to `synapse.utils` - Changed the constructor to require only a `Clock`, hostname, and a secret key (instead of a full `Homeserver`). - Added tests for all methods.
* Downgrade some OIDC exceptions to warnings (#12723)David Robertson2022-05-181-2/+2
|
* Remove unused `# type: ignore`s (#12531)David Robertson2022-04-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | Over time we've begun to use newer versions of mypy, typeshed, stub packages---and of course we've improved our own annotations. This makes some type ignore comments no longer necessary. I have removed them. There was one exception: a module that imports `select.epoll`. The ignore is redundant on Linux, but I've kept it ignored for those of us who work on the source tree using not-Linux. (#11771) I'm more interested in the config line which enforces this. I want unused ignores to be reported, because I think it's useful feedback when annotating to know when you've fixed a problem you had to previously ignore. * Installing extras before typechecking Lacking an easy way to install all extras generically, let's bite the bullet and make install the hand-maintained `all` extra before typechecking. Now that https://github.com/matrix-org/backend-meta/pull/6 is merged to the release/v1 branch.
* Implement a Jinja2 filter to extract localparts from email addresses (#12212)Brendan Abolivier2022-03-111-0/+6
|
* Update the SSO username picker template to comply with SIWA guidelines (#12210)Brendan Abolivier2022-03-111-1/+11
| | | Fixes https://github.com/matrix-org/synapse/issues/12205
* Remove `HomeServer.get_datastore()` (#12031)Richard van der Hoff2022-02-231-1/+1
| | | | | | | The presence of this method was confusing, and mostly present for backwards compatibility. Let's get rid of it. Part of #11733
* Adds misc missing type hints (#11953)Patrick Cloke2022-02-111-2/+2
|
* Save the OIDC session ID (sid) with the device on login (#11482)Quentin Gliech2021-12-061-23/+35
| | | As a step towards allowing back-channel logout for OIDC.
* Use direct references for configuration variables (part 4). (#10893)Patrick Cloke2021-09-231-1/+1
|
* Require type hints in the handlers module. (#10831)Patrick Cloke2021-09-201-17/+17
| | | | | | | Adds missing type hints to methods in the synapse.handlers module and requires all methods to have type hints there. This also removes the unused construct_auth_difference method from the FederationHandler.
* Use direct references for some configuration variables (#10798)Patrick Cloke2021-09-131-1/+1
| | | | Instead of proxying through the magic getter of the RootConfig object. This should be more performant (and is more explicit).
* Remove unstable MSC2858 API, including `experimental.msc2858_enabled` config ↵Sean2021-09-091-3/+0
| | | | | option (#10693) Signed-off-by: Sean Quah <seanq@element.io>
* [pyupgrade] `synapse/` (#10348)Jonathan de Jong2021-07-191-18/+20
| | | | | | | | | This PR is tantamount to running ``` pyupgrade --py36-plus --keep-percent-format `find synapse/ -type f -name "*.py"` ``` Part of #9744
* Use inline type hints in `handlers/` and `rest/`. (#10382)Jonathan de Jong2021-07-161-9/+9
|
* Allow OIDC cookies to work on non-root public baseurls (#9726)Andrew Morgan2021-04-231-5/+17
| | | | | Applied a (slightly modified) patch from https://github.com/matrix-org/synapse/issues/9574. As far as I understand this would allow the cookie set during the OIDC flow to work on deployments using public baseurls that do not sit at the URL path root.
* Make DomainSpecificString an attrs class (#9875)Erik Johnston2021-04-231-0/+5
|
* Rename handler and config modules which end in handler/config. (#9816)Patrick Cloke2021-04-201-0/+1384