summary refs log tree commit diff
path: root/synapse/handlers/oidc_handler.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Support for form_post in OIDC responses (#9376)Richard van der Hoff2021-02-171-22/+52
| | | Apple want to POST the OIDC auth response back to us rather than using query-params; add the necessary support to make that work.
* Allow OIDC config to override discovered values (#9384)Richard van der Hoff2021-02-161-9/+18
| | | Fixes #9347
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-161-7/+12
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Clean up caching/locking of OIDC metadata load (#9362)Richard van der Hoff2021-02-161-36/+53
| | | | Ensure that we lock correctly to prevent multiple concurrent metadata load requests, and generally clean up the way we construct the metadata cache.
* Add debug for OIDC flow (#9307)Richard van der Hoff2021-02-031-15/+25
|
* Put OIDC callback URI under /_synapse/client. (#9288)Richard van der Hoff2021-02-011-4/+4
|
* Add 'brand' field to MSC2858 response (#9242)Richard van der Hoff2021-01-271-0/+3
| | | | | | We've decided to add a 'brand' field to help clients decide how to style the buttons. Also, fix up the allowed characters for idp_id, while I'm in the area.
* Support for scraping email addresses from OIDC providers (#9245)Richard van der Hoff2021-01-271-24/+28
|
* Support icons for Identity Providers (#9154)Richard van der Hoff2021-01-201-0/+3
|
* Fix bugs in handling clientRedirectUrl, and improve OIDC tests (#9127, #9128)Richard van der Hoff2021-01-181-1/+1
| | | | | | | | | | | | | | | | * Factor out a common TestHtmlParser Looks like I'm doing this in a few different places. * Improve OIDC login test Complete the OIDC login flow, rather than giving up halfway through. * Ensure that OIDC login works with multiple OIDC providers * Fix bugs in handling clientRedirectUrl - don't drop duplicate query-params, or params with no value - allow utf-8 in query-params
* Land support for multiple OIDC providers (#9110)Richard van der Hoff2021-01-151-7/+20
| | | | | | | | | | | | | | | | | | | | | | | This is the final step for supporting multiple OIDC providers concurrently. First of all, we reorganise the config so that you can specify a list of OIDC providers, instead of a single one. Before: oidc_config: enabled: true issuer: "https://oidc_provider" # etc After: oidc_providers: - idp_id: prov1 issuer: "https://oidc_provider" - idp_id: prov2 issuer: "https://another_oidc_provider" The old format is still grandfathered in. With that done, it's then simply a matter of having OidcHandler instantiate a new OidcProvider for each configured provider.
* Store an IdP ID in the OIDC session (#9109)Richard van der Hoff2021-01-151-6/+16
| | | | | Again in preparation for handling more than one OIDC provider, add a new caveat to the macaroon used as an OIDC session cookie, which remembers which OIDC provider we are talking to. In future, when we get a callback, we'll need it to make sure we talk to the right IdP. As part of this, I'm adding an idp_id and idp_name field to the OIDC configuration object. They aren't yet documented, and we'll just use the old values by default.
* Split OidcProvider out of OidcHandler (#9107)Richard van der Hoff2021-01-141-98/+148
| | | | | | | The idea here is that we will have an instance of OidcProvider for each configured IdP, with OidcHandler just doing the marshalling of them. For now it's still hardcoded with a single provider.
* Extract OIDCProviderConfig objectRichard van der Hoff2021-01-131-17/+20
| | | | | Collect all the config options which related to an OIDC provider into a single object.
* Preparatory refactors of OidcHandler (#9067)Richard van der Hoff2021-01-131-141/+163
| | | | | | | | Some light refactoring of OidcHandler, in preparation for bigger things: * remove inheritance from deprecated BaseHandler * add an object to hold the things that go into a session cookie * factor out a separate class for manipulating said cookies
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-0/+3
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Combine the SSO Redirect Servlets (#9015)Richard van der Hoff2021-01-041-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-32/+27
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Push login completion down into SsoHandler (#8941)Richard van der Hoff2020-12-161-35/+27
| | | This is another part of my work towards fixing #8876. It moves some of the logic currently in the SAML and OIDC handlers - in particular the call to `AuthHandler.complete_sso_login` down into the `SsoHandler`.
* Simplify the flow for SSO UIA (#8881)Richard van der Hoff2020-12-081-12/+32
| | | | | | | | | * SsoHandler: remove inheritance from BaseHandler * Simplify the flow for SSO UIA We don't need to do all the magic for mapping users when we are doing UIA, so let's factor that out.
* Fix a regression that mapping providers should be able to redirect users. ↵Patrick Cloke2020-12-041-1/+1
| | | | | (#8878) This was broken in #8801.
* Fix a regression when grandfathering SAML users. (#8855)Patrick Cloke2020-12-021-2/+28
| | | | | | This was broken in #8801 when abstracting code shared with OIDC. After this change both SAML and OIDC have a concept of grandfathering users, but with different implementations.
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-70/+50
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Properly report user-agent/IP during registration of SSO users. (#8784)Patrick Cloke2020-11-231-1/+1
| | | | | This also expands type-hints to the SSO and registration code. Refactors the CAS code to more closely match OIDC/SAML.
* Improve error checking for OIDC/SAML mapping providers (#8774)Patrick Cloke2020-11-191-5/+20
| | | | | | Checks that the localpart returned by mapping providers for SAML and OIDC are valid before registering new users. Extends the OIDC tests for existing users and invalid data.
* Abstract shared SSO code. (#8765)Patrick Cloke2020-11-171-59/+33
| | | De-duplicates code between the SAML and OIDC implementations.
* Fix typos and spelling errors. (#8639)Patrick Cloke2020-10-231-3/+3
|
* Fix handling of User-Agent headers with bad utf-8. (#8632)Erik Johnston2020-10-231-3/+1
|
* Add config option for always using "userinfo endpoint" for OIDC (#7658)BBBSnowball2020-10-011-4/+7
| | | This allows for connecting to certain IdPs, e.g. GitLab.
* Allow additional SSO properties to be passed to the client (#8413)Patrick Cloke2020-09-301-3/+53
|
* Allow existing users to login via OpenID Connect. (#8345)Tdxdxoz2020-09-251-15/+27
| | | | | | | Co-authored-by: Benjamin Koch <bbbsnowball@gmail.com> This adds configuration flags that will match a user to pre-existing users when logging in via OpenID Connect. This is useful when switching to an existing SSO system.
* Improve SAML error messages (#8248)Patrick Cloke2020-09-141-2/+2
|
* Ensure that the OpenID Connect remote ID is a string. (#8190)Patrick Cloke2020-08-281-0/+3
|
* Allow denying or shadow banning registrations via the spam checker (#8034)Patrick Cloke2020-08-201-3/+18
|
* Be stricter about JSON that is accepted by Synapse (#8106)Patrick Cloke2020-08-191-3/+3
|
* Use the default templates when a custom template file cannot be found (#8037)Andrew Morgan2020-08-171-4/+1
| | | Fixes https://github.com/matrix-org/synapse/issues/6583
* Change HomeServer definition to work with typing.Erik Johnston2020-08-111-3/+5
| | | | | | | | | | Duplicating function signatures between server.py and server.pyi is silly. This commit changes that by changing all `build_*` methods to `get_*` methods and changing the `_make_dependency_method` to work work as a descriptor that caches the produced value. There are some changes in other files that were made to fix the typing in server.py.
* Ensure that HTML pages served from Synapse include headers to avoid embedding.Patrick Cloke2020-07-021-9/+4
|
* Cleanups to the OpenID Connect integration (#7628)Richard van der Hoff2020-06-031-7/+20
| | | | docs, default configs, comments. Nothing very significant.
* Support UI Authentication for OpenID Connect accounts (#7457)Patrick Cloke2020-05-151-19/+57
|
* Implement OpenID Connect-based login (#7256)Quentin Gliech2020-05-081-0/+998