summary refs log tree commit diff
path: root/synapse/handlers/oidc.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Correctly mention previous copyright (#16820)Erik Johnston2024-01-231-0/+2
| | | | | During the migration the automated script to update the copyright headers accidentally got rid of some of the existing copyright lines. Reinstate them.
* Update license headersPatrick Cloke2023-11-211-11/+16
|
* Add stricter mypy options (#15694)Patrick Cloke2023-05-311-1/+1
| | | | Enable warn_unused_configs, strict_concatenate, disallow_subclassing_any, and disallow_incomplete_defs.
* Add the ability to enable/disable registrations when in the OIDC flow (#14978)Warren Bailey2023-03-301-0/+1
| | | Signed-off-by: Warren Bailey <warren@warrenbailey.net>
* Support RFC7636 PKCE in the OAuth 2.0 flow. (#14750)Patrick Cloke2023-01-041-7/+47
| | | | | | | PKCE can protect against certain attacks and is enabled by default. Support can be controlled manually by setting the pkce_method of each oidc_providers entry to 'auto' (default), 'always', or 'never'. This is required by Twitter OAuth 2.0 support.
* Support non-OpenID compliant user info endpoints (#14753)Patrick Cloke2023-01-041-8/+23
| | | | | | | | OpenID specifies the format of the user info endpoint and some OAuth 2.0 IdPs do not follow it, e.g. NextCloud and Twitter. This adds subject_template and picture_template options to the default mapping provider for more flexibility in matching those user info responses.
* Actually use the picture_claim as configured in OIDC config. (#14751)Patrick Cloke2022-12-291-1/+1
| | | | Previously it was only using the default value ("picture") when fetching the picture from the user info.
* Add support for handling avatar with SSO login (#13917)Ashish Kumar2022-11-251-0/+7
| | | | | | | | This commit adds support for handling a provided avatar picture URL when logging in via SSO. Signed-off-by: Ashish Kumar <ashfame@users.noreply.github.com> Fixes #9357.
* Remove redundant types from comments. (#14412)Patrick Cloke2022-11-161-1/+1
| | | | | | | Remove type hints from comments which have been added as Python type hints. This helps avoid drift between comments and reality, as well as removing redundant information. Also adds some missing type hints which were simple to fill in.
* Support OIDC backchannel logouts (#11414)Quentin Gliech2022-10-311-36/+345
| | | | | | | If configured an OIDC IdP can log a user's session out of Synapse when they log out of the identity provider. The IdP sends a request directly to Synapse (and must be configured with an endpoint) when a user logs out.
* Refactor OIDC tests to better mimic an actual OIDC provider. (#13910)Quentin Gliech2022-10-251-4/+11
| | | | | | | | | This implements a fake OIDC server, which intercepts calls to the HTTP client. Improves accuracy of tests by covering more internal methods. One particular example was the ID token validation, which previously mocked. This uncovered an incorrect dependency: Synapse actually requires at least authlib 0.15.1, not 0.14.0.
* Move the "email unsubscribe" resource, refactor the macaroon generator & ↵Quentin Gliech2022-06-141-123/+8
| | | | | | | | | | | | | | | | | | | | | simplify the access token verification logic. (#12986) This simplifies the access token verification logic by removing the `rights` parameter which was only ever used for the unsubscribe link in email notifications. The latter has been moved under the `/_synapse` namespace, since it is not a standard API. This also makes the email verification link more secure, by embedding the app_id and pushkey in the macaroon and verifying it. This prevents the user from tampering the query parameters of that unsubscribe link. Macaroon generation is refactored: - Centralised all macaroon generation and verification logic to the `MacaroonGenerator` - Moved to `synapse.utils` - Changed the constructor to require only a `Clock`, hostname, and a secret key (instead of a full `Homeserver`). - Added tests for all methods.
* Downgrade some OIDC exceptions to warnings (#12723)David Robertson2022-05-181-2/+2
|
* Remove unused `# type: ignore`s (#12531)David Robertson2022-04-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | Over time we've begun to use newer versions of mypy, typeshed, stub packages---and of course we've improved our own annotations. This makes some type ignore comments no longer necessary. I have removed them. There was one exception: a module that imports `select.epoll`. The ignore is redundant on Linux, but I've kept it ignored for those of us who work on the source tree using not-Linux. (#11771) I'm more interested in the config line which enforces this. I want unused ignores to be reported, because I think it's useful feedback when annotating to know when you've fixed a problem you had to previously ignore. * Installing extras before typechecking Lacking an easy way to install all extras generically, let's bite the bullet and make install the hand-maintained `all` extra before typechecking. Now that https://github.com/matrix-org/backend-meta/pull/6 is merged to the release/v1 branch.
* Implement a Jinja2 filter to extract localparts from email addresses (#12212)Brendan Abolivier2022-03-111-0/+6
|
* Update the SSO username picker template to comply with SIWA guidelines (#12210)Brendan Abolivier2022-03-111-1/+11
| | | Fixes https://github.com/matrix-org/synapse/issues/12205
* Remove `HomeServer.get_datastore()` (#12031)Richard van der Hoff2022-02-231-1/+1
| | | | | | | The presence of this method was confusing, and mostly present for backwards compatibility. Let's get rid of it. Part of #11733
* Adds misc missing type hints (#11953)Patrick Cloke2022-02-111-2/+2
|
* Save the OIDC session ID (sid) with the device on login (#11482)Quentin Gliech2021-12-061-23/+35
| | | As a step towards allowing back-channel logout for OIDC.
* Use direct references for configuration variables (part 4). (#10893)Patrick Cloke2021-09-231-1/+1
|
* Require type hints in the handlers module. (#10831)Patrick Cloke2021-09-201-17/+17
| | | | | | | Adds missing type hints to methods in the synapse.handlers module and requires all methods to have type hints there. This also removes the unused construct_auth_difference method from the FederationHandler.
* Use direct references for some configuration variables (#10798)Patrick Cloke2021-09-131-1/+1
| | | | Instead of proxying through the magic getter of the RootConfig object. This should be more performant (and is more explicit).
* Remove unstable MSC2858 API, including `experimental.msc2858_enabled` config ↵Sean2021-09-091-3/+0
| | | | | option (#10693) Signed-off-by: Sean Quah <seanq@element.io>
* [pyupgrade] `synapse/` (#10348)Jonathan de Jong2021-07-191-18/+20
| | | | | | | | | This PR is tantamount to running ``` pyupgrade --py36-plus --keep-percent-format `find synapse/ -type f -name "*.py"` ``` Part of #9744
* Use inline type hints in `handlers/` and `rest/`. (#10382)Jonathan de Jong2021-07-161-9/+9
|
* Allow OIDC cookies to work on non-root public baseurls (#9726)Andrew Morgan2021-04-231-5/+17
| | | | | Applied a (slightly modified) patch from https://github.com/matrix-org/synapse/issues/9574. As far as I understand this would allow the cookie set during the OIDC flow to work on deployments using public baseurls that do not sit at the URL path root.
* Make DomainSpecificString an attrs class (#9875)Erik Johnston2021-04-231-0/+5
|
* Rename handler and config modules which end in handler/config. (#9816)Patrick Cloke2021-04-201-0/+1384