summary refs log tree commit diff
path: root/synapse/handlers/oidc_handler.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Rename handler and config modules which end in handler/config. (#9816)Patrick Cloke2021-04-201-1387/+0
|
* Remove redundant "coding: utf-8" lines (#9786)Jonathan de Jong2021-04-141-1/+0
| | | | | | | Part of #9744 Removes all redundant `# -*- coding: utf-8 -*-` lines from files, as python 3 automatically reads source code as utf-8 now. `Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
* Make it possible to use dmypy (#9692)Erik Johnston2021-03-261-0/+3
| | | | | | | | | Running `dmypy run` will do a `mypy` check while spinning up a daemon that makes rerunning `dmypy run` a lot faster. `dmypy` doesn't support `follow_imports = silent` and has `local_partial_types` enabled, so this PR enables those options and fixes the issues that were newly raised. Note that `local_partial_types` will be enabled by default in upcoming mypy releases.
* Add SSO attribute requirements for OIDC providers (#9609)Hubbe2021-03-161-0/+13
| | | | Allows limiting who can login using OIDC via the claims made from the IdP.
* Handle an empty cookie as an invalid macaroon. (#9620)Patrick Cloke2021-03-161-1/+2
| | | | | * Handle an empty cookie as an invalid macaroon. * Newsfragment
* Add support for stable MSC2858 API (#9617)Richard van der Hoff2021-03-161-0/+3
| | | | | The stable format uses different brand identifiers, so we need to support two identifiers for each IdP.
* Fix additional type hints from Twisted 21.2.0. (#9591)Patrick Cloke2021-03-121-4/+5
|
* JWT OIDC secrets for Sign in with Apple (#9549)Richard van der Hoff2021-03-091-5/+96
| | | | | Apple had to be special. They want a client secret which is generated from an EC key. Fixes #9220. Also fixes #9212 while I'm here.
* Record the SSO Auth Provider in the login token (#9510)Richard van der Hoff2021-03-041-51/+14
| | | This great big stack of commits is a a whole load of hoop-jumping to make it easier to store additional values in login tokens, and then to actually store the SSO Identity Provider in the login token. (Making use of that data will follow in a subsequent PR.)
* Support for form_post in OIDC responses (#9376)Richard van der Hoff2021-02-171-22/+52
| | | Apple want to POST the OIDC auth response back to us rather than using query-params; add the necessary support to make that work.
* Allow OIDC config to override discovered values (#9384)Richard van der Hoff2021-02-161-9/+18
| | | Fixes #9347
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-161-7/+12
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Clean up caching/locking of OIDC metadata load (#9362)Richard van der Hoff2021-02-161-36/+53
| | | | Ensure that we lock correctly to prevent multiple concurrent metadata load requests, and generally clean up the way we construct the metadata cache.
* Add debug for OIDC flow (#9307)Richard van der Hoff2021-02-031-15/+25
|
* Put OIDC callback URI under /_synapse/client. (#9288)Richard van der Hoff2021-02-011-4/+4
|
* Add 'brand' field to MSC2858 response (#9242)Richard van der Hoff2021-01-271-0/+3
| | | | | | We've decided to add a 'brand' field to help clients decide how to style the buttons. Also, fix up the allowed characters for idp_id, while I'm in the area.
* Support for scraping email addresses from OIDC providers (#9245)Richard van der Hoff2021-01-271-24/+28
|
* Support icons for Identity Providers (#9154)Richard van der Hoff2021-01-201-0/+3
|
* Fix bugs in handling clientRedirectUrl, and improve OIDC tests (#9127, #9128)Richard van der Hoff2021-01-181-1/+1
| | | | | | | | | | | | | | | | * Factor out a common TestHtmlParser Looks like I'm doing this in a few different places. * Improve OIDC login test Complete the OIDC login flow, rather than giving up halfway through. * Ensure that OIDC login works with multiple OIDC providers * Fix bugs in handling clientRedirectUrl - don't drop duplicate query-params, or params with no value - allow utf-8 in query-params
* Land support for multiple OIDC providers (#9110)Richard van der Hoff2021-01-151-7/+20
| | | | | | | | | | | | | | | | | | | | | | | This is the final step for supporting multiple OIDC providers concurrently. First of all, we reorganise the config so that you can specify a list of OIDC providers, instead of a single one. Before: oidc_config: enabled: true issuer: "https://oidc_provider" # etc After: oidc_providers: - idp_id: prov1 issuer: "https://oidc_provider" - idp_id: prov2 issuer: "https://another_oidc_provider" The old format is still grandfathered in. With that done, it's then simply a matter of having OidcHandler instantiate a new OidcProvider for each configured provider.
* Store an IdP ID in the OIDC session (#9109)Richard van der Hoff2021-01-151-6/+16
| | | | | Again in preparation for handling more than one OIDC provider, add a new caveat to the macaroon used as an OIDC session cookie, which remembers which OIDC provider we are talking to. In future, when we get a callback, we'll need it to make sure we talk to the right IdP. As part of this, I'm adding an idp_id and idp_name field to the OIDC configuration object. They aren't yet documented, and we'll just use the old values by default.
* Split OidcProvider out of OidcHandler (#9107)Richard van der Hoff2021-01-141-98/+148
| | | | | | | The idea here is that we will have an instance of OidcProvider for each configured IdP, with OidcHandler just doing the marshalling of them. For now it's still hardcoded with a single provider.
* Extract OIDCProviderConfig objectRichard van der Hoff2021-01-131-17/+20
| | | | | Collect all the config options which related to an OIDC provider into a single object.
* Preparatory refactors of OidcHandler (#9067)Richard van der Hoff2021-01-131-141/+163
| | | | | | | | Some light refactoring of OidcHandler, in preparation for bigger things: * remove inheritance from deprecated BaseHandler * add an object to hold the things that go into a session cookie * factor out a separate class for manipulating said cookies
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-0/+3
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Combine the SSO Redirect Servlets (#9015)Richard van der Hoff2021-01-041-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-32/+27
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Push login completion down into SsoHandler (#8941)Richard van der Hoff2020-12-161-35/+27
| | | This is another part of my work towards fixing #8876. It moves some of the logic currently in the SAML and OIDC handlers - in particular the call to `AuthHandler.complete_sso_login` down into the `SsoHandler`.
* Simplify the flow for SSO UIA (#8881)Richard van der Hoff2020-12-081-12/+32
| | | | | | | | | * SsoHandler: remove inheritance from BaseHandler * Simplify the flow for SSO UIA We don't need to do all the magic for mapping users when we are doing UIA, so let's factor that out.
* Fix a regression that mapping providers should be able to redirect users. ↵Patrick Cloke2020-12-041-1/+1
| | | | | (#8878) This was broken in #8801.
* Fix a regression when grandfathering SAML users. (#8855)Patrick Cloke2020-12-021-2/+28
| | | | | | This was broken in #8801 when abstracting code shared with OIDC. After this change both SAML and OIDC have a concept of grandfathering users, but with different implementations.
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-70/+50
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Properly report user-agent/IP during registration of SSO users. (#8784)Patrick Cloke2020-11-231-1/+1
| | | | | This also expands type-hints to the SSO and registration code. Refactors the CAS code to more closely match OIDC/SAML.
* Improve error checking for OIDC/SAML mapping providers (#8774)Patrick Cloke2020-11-191-5/+20
| | | | | | Checks that the localpart returned by mapping providers for SAML and OIDC are valid before registering new users. Extends the OIDC tests for existing users and invalid data.
* Abstract shared SSO code. (#8765)Patrick Cloke2020-11-171-59/+33
| | | De-duplicates code between the SAML and OIDC implementations.
* Fix typos and spelling errors. (#8639)Patrick Cloke2020-10-231-3/+3
|
* Fix handling of User-Agent headers with bad utf-8. (#8632)Erik Johnston2020-10-231-3/+1
|
* Add config option for always using "userinfo endpoint" for OIDC (#7658)BBBSnowball2020-10-011-4/+7
| | | This allows for connecting to certain IdPs, e.g. GitLab.
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-301-3/+53
|
* Allow existing users to login via OpenID Connect. (#8345)Tdxdxoz2020-09-251-15/+27
| | | | | | | Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
* Improve SAML error messages (#8248)Patrick Cloke2020-09-141-2/+2
|
* Ensure that the OpenID Connect remote ID is a string. (#8190)Patrick Cloke2020-08-281-0/+3
|
* Allow denying or shadow banning registrations via the spam checker (#8034)Patrick Cloke2020-08-201-3/+18
|
* Be stricter about JSON that is accepted by Synapse (#8106)Patrick Cloke2020-08-191-3/+3
|
* Use the default templates when a custom template file cannot be found (#8037)Andrew Morgan2020-08-171-4/+1
| | | Fixes https://github.com/matrix-org/synapse/issues/6583
* Change HomeServer definition to work with typing.Erik Johnston2020-08-111-3/+5
| | | | | | | | | | Duplicating function signatures between server.py and server.pyi is silly. This commit changes that by changing all `build_*` methods to `get_*` methods and changing the `_make_dependency_method` to work work as a descriptor that caches the produced value. There are some changes in other files that were made to fix the typing in server.py.
* Ensure that HTML pages served from Synapse include headers to avoid embedding.Patrick Cloke2020-07-021-9/+4
|
* Cleanups to the OpenID Connect integration (#7628)Richard van der Hoff2020-06-031-7/+20
| | | | docs, default configs, comments. Nothing very significant.
* Support UI Authentication for OpenID Connect accounts (#7457)Patrick Cloke2020-05-151-19/+57
|
* Implement OpenID Connect-based login (#7256)Quentin Gliech2020-05-081-0/+998